1. Symantec/
  2. Security Response/
  3. PUA.MalwareBot

PUA.MalwareBot

Updated:
June 24, 2015 9:49:13 AM
Type:
Potentially Unwanted App
Name:
MalwareBot
Version:
1.5.348.848
Publisher:
www.malwarebot.com
Risk Impact:
Medium
Systems Affected:
Windows
Behavior
This program can be manually downloaded and installed from the following location:
www.malwarebot.com

The program falsely identifies legitimate network applications as threats on the computer.





The user is then prompted to pay for a full license of the application in order to remove the threats.





Installation
When the program is executed, it creates the following files:
  • %UserProfile%\Application Data\MalwareBot\Log\[Year- Month- Date_ Time].log
  • %UserProfile%\Local Settings\Temp\[RANDOM CHARACTERS].tmp
  • C:\Documents and Settings\All Users\Desktop\MalwareBot.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\MalwareBot\MalwareBot on the Web.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\MalwareBot\MalwareBot.lnk
  • %ProgramFiles%\MalwareBot\DataBase.ref
  • %ProgramFiles%\MalwareBot\MalwareBot.exe
  • %ProgramFiles%\MalwareBot\MalwareBot.url
  • %ProgramFiles%\MalwareBot\vistaCPtasks.xml
  • %Windìr%\Installer\[RANDOM CHARACTERS].msi
  • %Windìr%\Installer\{858FDF24-D690-4203-BDA1-79FFAA0B6D3B}\Icon.exe
  • %Windìr%\Tasks\MalwareBot Scheduled Scan.job


Next, the program creates the following registry subkeys:
  • HKEY_CURRENT_USER\Software\MalwareBot
  • HKEY_CLASSES_ROOT\CLSID\{C5D60FD5-9CCB-403c-9ED7-A5E1676C38CE}
  • HKEY_CLASSES_ROOT\Installer\Features\42FDF858096D3024DB1A97FFAAB0D6B3
  • HKEY_CLASSES_ROOT\Installer\Products\42FDF858096D3024DB1A97FFAAB0D6B3
  • HKEY_CLASSES_ROOT\Installer\UpgradeCodes\8BF9CD9F316AF4348A9E5930114224AF
  • HKEY_LOCAL_MACHINE\SOFTWARE\MalwareBot
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DisabledRun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DisabledUninstall
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{C5D60FD5-9CCB-403c-9ED7-A5E1676C38CE}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DisabledBHO
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{858FDF24-D690-4203-BDA1-79FFAA0B6D3B}
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube