1. Symantec/
  2. Security Response/
  3. FakeCloudAV2012

FakeCloudAV2012

Updated:
January 13, 2012 2:23:05 AM
Type:
Misleading Application
Name:
CloudAV2102
Risk Impact:
Medium
Systems Affected:
Windows
Behavior
The program reports false or exaggerated system security threats on the computer.







The user is then prompted to pay for a full license of the application in order to remove the threats.





Installation
When the program is executed, it creates the following files:
  • %UserProfile%\Local Settings\Application Data\[THREE RANDOM LETTERS].exe
  • %UserProfile%\Local Settings\Application Data\2e01oq0m46k223
  • %UserProfile%\Local Settings\Temp\[RANDOM FILE NAME]
  • %UserProfile%\Templates\[RANDOM FILE NAME]


Next, it creates the following registry entries:
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\"EnableFirewall" = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\"DoNotAllowExceptions" = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\"DisableNotifications" = "1"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"EnableFirewall" = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"DoNotAllowExceptions" = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"DisableNotifications" = "1"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\"EnableFirewall" = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\"DoNotAllowExceptions" = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\"DisableNotifications" = "1"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"EnableFirewall" = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"DoNotAllowExceptions" = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"DisableNotifications" = "1"


It then modifies the following registry entries:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"AntiVirusDisableNotify" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"FirewallDisableNotify" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"UpdatesDisableNotify" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"AntiVirusOverride" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"FirewallOverride" = "0"


The program then deletes the following registry subkeys:
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WUAUSERV
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WUAUSERV
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube