Home / malware Open Cloud AV
First posted on 02 November 2011.
Source: SecurityHomeAliases :
Open Cloud AV is also known as Rogue:Win32/FakeScanti (other), Win32/FakeScanti (other).
Explanation :
Open Cloud AV is a variant of Win32/FakeScanti - a family of trojans that claim to scan for malware and display fake warnings of "malicious programs and viruses". It then informs the user that they need to pay money to register the software in order to remove these non-existent threats. The malware may also attempt to terminate processes and block access to websites.
Top
Open Cloud AV is a variant of Win32/FakeScanti - a family of trojans that claim to scan for malware and display fake warnings of "malicious programs and viruses". It then informs the user that they need to pay money to register the software in order to remove these non-existent threats. The malware may also attempt to terminate processes and block access to websites.
Installation
Open Cloud AV copies itself to %system%/<eight or more random alphanumeric characters>.exe (for example, E0qaxGNpRBoE8E7.exe).
The trojan drops the following files:
- %AppData%\ldr.ini
- %AppData%\ <eight or more random alphanumeric characters>Open Cloud AV.ico(for example, %AppData%\J7ikWC6jA5hPtOrOpen Cloud AV.ico)
- %Programs%\Open Cloud AV\Open Cloud AV.lnk
- %desktopdirectory%\Open Cloud AV.lnk
The fake scanner may be downloaded from a location such as any of those listed in the Payload section, saved to the %TEMP% directory, then launched.
Open Cloud AV makes the following changes to the registry to ensure that its copy is executed at each Windows start:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: <eight or more random alphanumeric characters> (for example, VvUJ1sY0aTNp8234A)
With data: <path name of malware> (for example, %system%\E0qaxGNpRBoE8E7.exe)
Payload
Downloads and executes arbitrary files
This trojan may connect to websites such as the following:
- cc-chargeonline.com
- ccbill-online.com
- freshmediacontent.com
- ordersonlinenow.com
- ourbigbooklibrarry.com
- ourbigvideostore.com
- paybycardonline.com
- paybycardsonline.com
- photodatastore.com
- pickviewonline.com
- s-internals.com
- secure-validation.com
- system-reports.com
- xmlstatreports.com
It may download other files. The downloaded file is saved as a file in the Windows Temporary Files folder with a random file name.
The malware may also report the computer's details, such as operating system version and antivirus product to a remote server.
Terminates processes
This trojan monitors running processes and attempts to terminate any process unless its file name contains one of the following substrings:
- *.tmp
- csrss.exe
- DllHost.exe
- IEUser.exe
- iexplore.exe
- mst.exe
- SearchProtocolHost.exe
- server.exe
- spooler.exe
- un_inst.exe
- winlogon.exe
It displays a system tray popup similar to the following:
Note that the downloaded malware is not terminated, as its file name has a .tmp extension.
Terminates and/or uninstalls security software
It may attempt to terminate and/or uninstall security software from the following companies:
- Microsoft (Windows Defender and Security Essentials)
- Norton
- Avira
- AVG
- E-Set
- DrWeb
- Kaspersky
- Bitdefender
- McAfee
Displays fake antivirus scanner
When run, the trojan performs a fake scan of the system, and falsely claims that a number of files in the computer are infected with malware. Should users request that it clean the reported infections, it advises them that they need to pay money to register the program and perform the cleaning process.
It displays various windows, system tray popups, and error messages in an attempt to convince the user that their system is infected, and that they should pay to register the fake software. In some cases it greys out the background in an attempt to simulate a UAC message.
It may also simulate a system crash by displaying error messages such as the following:
The following is a fake splash-screen displayed by OpenCloud Antivirus in an attempt to simulate a reboot:
Restarts the computer
This trojan occasionally restarts the computer. This may be an attempt to convince the user that the computer is infected with malware.
Blocks access to websites
This trojan may display the following error message in Internet Explorer and randomly block access to websites that the user is attempting to visit. This dialog is displayed to convince the user that the site they are visiting is malicious and that they need to take a recommended action of the attacker's choice in order to be protected:
Additional information
In the wild, we have observed computers infected with Open Cloud AV are also often affected by Backdoor:Win32/Cycbot.B.
Analysis by David Wood
Last update 02 November 2011