1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Fake App Attack: ErrClean Executable Download

Fake App Attack: ErrClean Executable Download

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application ErrClean.

Additional Information

ErrClean is a misleading application that gives false reports of errors on the computer.

When the program is executed, it creates the following folder:
%UserProfile%\Application Data\errclean

Next, the program creates the following files:

* %UserProfile%\Desktop\ErrClean.lnk
* C:\Documents and Settings\All Users\Application Data\errclean\Data\em
* C:\Documents and Settings\All Users\Application Data\errclean\Data\oid
* C:\Documents and Settings\All Users\Application Data\errclean\Data\user
* C:\Documents and Settings\All Users\Start Menu\Programs\ErrClean\Contact Customer Service.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\ErrClean\ErrClean.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\ErrClean\Uninstall ErrClean.lnk
* %ProgramFiles%\ErrClean\SysRep.exe
* %ProgramFiles%\ErrClean\ugescw.exe
* %ProgramFiles%\ErrClean\License.rtf
* %ProgramFiles%\ErrClean\Readme.rtf
* %ProgramFiles%\ErrClean\Res\Main.ico
* %ProgramFiles%\ErrClean\Res\RecycleBin.ico
* %ProgramFiles%\ErrClean\rm.url
* %ProgramFiles%\ErrClean\sr.log
* %ProgramFiles%\ErrClean\swupd.log
* %ProgramFiles%\ErrClean\SysRep.exe.cer
* %ProgramFiles%\ErrClean\SysRep.exe.Log
* %ProgramFiles%\ErrClean\SysRep.exe.xml
* %ProgramFiles%\ErrClean\SysRep.url
* %ProgramFiles%\ErrClean\unins000.dat
* %ProgramFiles%\ErrClean\urls.ini
* %ProgramFiles%\ErrClean\unins000.exe
* %ProgramFiles%\ErrClean\transpaid.exe
* %UserProfile%\Local Settings\Temp\[RANDOM CHARACTERS]\setup.exe
* %UserProfile%\Local Settings\Temp\[RANDOM CHARACTERS]\settings.ini
* %UserProfile%\Local Settings\Temp\[RANDOM CHARACTERS]\setup.len



It also creates the following clean files:

* %ProgramFiles%\ErrClean\atl71.dll
* %ProgramFiles%\ErrClean\mfc71.dll
* %ProgramFiles%\ErrClean\msvcp71.dll
* %ProgramFiles%\ErrClean\msvcr71.dll



The program then creates the following registry entries so that it executes whenever Windows starts:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"ErrClean" = "C:\Program Files\ErrClean\SysRep.exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"ugescw" = ""C:\PROGRA~1\ErrClean\ugescw.exe" -start"



It also creates the following registry subkeys:

* HKEY_USERS\[ALL USERS]\Software\ErrClean
* HKEY_LOCAL_MACHINE\SOFTWARE\ErrClean
* HKEY_LOCAL_MACHINE\SOFTWARE\ugescw
* HKEY_LOCAL_MACHINE\SOFTWARE\Purchased Products\System Error Repair
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GES_is1

Affected

  • Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube