Home / malware OpenCloud Antivirus
First posted on 06 September 2011.
Source: SecurityHomeAliases :
OpenCloud Antivirus is also known as Rogue:Win32/FakeScanti (other), Win32/FakeScanti (other).
Explanation :
OpenCloud Antivirus is a variant of Win32/FakeScanti - a family of trojans that claim to scan for malware and display fake warnings of "malicious programs and viruses". It then informs the user that they need to pay money to register the software in order to remove these non-existent threats. The malware may also attempt to terminate processes and block access to websites.
Top
OpenCloud Antivirus is a variant of Win32/FakeScanti - a family of trojans that claim to scan for malware and display fake warnings of "malicious programs and viruses". It then informs the user that they need to pay money to register the software in order to remove these non-existent threats. The malware may also attempt to terminate processes and block access to websites.
Installation
This trojan drops the following files:
- %AppData%\OpenCloud Antivirus\OpenCloud Antivirus.exe - copy of itself
- %AppData%\OpenCloud Antivirus\wf.conf - contains status information
- %AppData%\OpenCloud Antivirus\OpenCloud Antivirus.ico - an icon file
- <start menu>\OpenCloud Antivirus\OpenCloud Antivirus.lnk - shortcut file to the main executable
- <Desktop folder>\OpenCloud Antivirus.lnk
Note: <Start Menu> refers to a variable location that is determined by the malware by querying the Operating System. The default location for the 'Start Menu' folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu'.
The shortcut link may look like the following:
Rogue:Win32/FakeScanti may be installed by a downloader component, which installs itself by copying itself to %AppData%\OpenCloud Antivirus\csrss.exe and %startup%\csrss.exe. This second copy is an attempt to ensure that the installer runs upon system startup.
It then downloads a copy of the fake scanner from a location such as wwwpingarchive.com, saves it to the %TEMP% directory, then launches it. This component monitors whether the fake scanner is still running or present on the computer, and may relaunch it, or download a new copy if required.
Payload
Downloads and executes arbitrary files
This trojan may connect to websites such as the following:
- system-reports.com
- s-internals.com
- secure-validation.com
- cc-chargeonline.com
- ccbill-online.com
- xmlstatreports.com
It may download an additional BHO component from these sites, which may also be detected as Rogue:Win32/FakeScanti. The downloaded file may be saved as the following:
- %AppData%\OpenCloud Antivirus\sysl32.dll
It may also download other files. In the wild, one known downloaded file is detected as Backdoor:Win32/Cycbot.B. The downloaded file is saved as a file in the Windows Temporary Files folder with a random file name.
The malware may also report the computer's details, such as operating system version and antivirus product to a remote server (the same remote server it downloads the BHO component from).
Terminates processes
This trojan monitors running processes and attempts to terminate any process unless its file name contains one of the following substrings:
- *.tmp
- csrss.exe
- DllHost.exe
- IEUser.exe
- iexplore.exe
- mst.exe
- SearchProtocolHost.exe
- server.exe
- spooler.exe
- un_inst.exe
- winlogon.exe
It displays a system tray popup similar to the following:
Note that the downloaded malware is not terminated, as its file name has a .tmp extension.
Terminates and/or uninstalls security software
It may attempt to terminate and/or uninstall security software from the following companies:
- Microsoft (Windows Defender and Security Essentials)
- Norton
- Avira
- AVG
- E-Set
- DrWeb
- Kaspersky
- Bitdefender
- McAfee
Displays fake antivirus scanner
When run, the trojan performs a fake scan of the system, and falsely claims that a number of files in the computer are infected with malware. Should users request that it clean the reported infections, it advises them that they need to pay money to register the program and perform the cleaning process.
It displays various windows, system tray popups, and error messages in an attempt to convince the user that their system is infected, and that they should pay to register the fake software. In some cases it greys out the background in an attempt to simulate a UAC message.
It may also simulate a system crash by displaying error messages such as the following:
The following is a fake splash-screen displayed by OpenCloud Antivirus in an attempt to simulate a reboot:
Restarts the computer
This trojan occasionally restarts the computer. This may be an attempt to convince the user that the computer is infected with malware.
Blocks access to websites
This trojan may display the following error message in Internet Explorer and randomly block access to websites that the user is attempting to visit. This dialog is displayed to convince the user that the site they are visiting is malicious and that they need to take a recommended action of the attacker's choice in order to be protected:
Analysis by David Wood
Last update 06 September 2011