Home / malwarePDF  

Program:Win32/Cleaner2009


First posted on 09 February 2009.
Source: SecurityHome

Aliases :

Program:Win32/Cleaner2009 is also known as Also Known As:Cleaner2009 (Symantec), Win32/FakeAV.SN (CA).

Explanation :

Program:Win32/Cleaner2009 is a rogue security protection program that may display false and misleading alerts regarding malware to entice users to purchase rogue security software.

Symptoms
System ChangesThe following system changes may indicate the presence of Program:Win32/Cleaner2009:

  • The presence of the following folders:
    %Program Files%Cleaner2009 Freeware
    %USERPROFILE%Start MenuProgramsCleaner2009 Freeware
  • The presence of the following registry entry:
    Added value: "Cleaner2009 Freeware"
    With data: "C:Program FilesCleaner2009 FreewareUCLN.exe"
    To key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
  • The presence of the following registry keys:
    HKCRAppIDiercpt.DLL
    HKCRAppID{3A9377A6-BE7F-485D-908C-D44114691389}
    HKCRCLSID{D4CDC21D-43BE-4101-A1EF-E379F134771E}
    HKCRInterface{59C345BA-3D5E-44E3-9D10-D3848AF15D73}
    HKCRTypeLib{A6FBD2E4-1C7E-4EAB-80DD-01DE2645566A}
    HKCRiercpt.iercptbho.1
    HKCRiercpt.iercptbho
    HKLMSOFTWARECleaner2009 Freeware
    HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{D4CDC21D-43BE-4101-A1EF-E379F134771E}
    HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstallQuickInstallPack
    HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstallUCLN_install_is1


    • Program:Win32/Cleaner2009 is a rogue security protection program that may display false and misleading alerts on malware to entice users to purchase fake security software.

    Installation
    Program:Win32/Cleaner2009 may be downloaded in the system from the website "cleaner2009pro.com", either by the user or automatically by malware. When installing, the user may observe the following interface: Upon installation, it creates the following folders, which contain all of the program's files:
    %Program Files%Cleaner2009 Freeware
    %USERPROFILE%Start MenuProgramsCleaner2009 Freeware It modifies the system registry so that it automatically runs every time Windows starts: Adds value: "Cleaner2009 Freeware"
    With data: "C:Program FilesCleaner2009 FreewareUCLN.exe"
    To key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun As part of its installation routine, it also creates the following subkeys: HKCRAppIDiercpt.DLL
    HKCRAppID{3A9377A6-BE7F-485D-908C-D44114691389}
    HKCRCLSID{D4CDC21D-43BE-4101-A1EF-E379F134771E}
    HKCRInterface{59C345BA-3D5E-44E3-9D10-D3848AF15D73}
    HKCRTypeLib{A6FBD2E4-1C7E-4EAB-80DD-01DE2645566A}
    HKCRiercpt.iercptbho.1
    HKCRiercpt.iercptbho
    HKLMSOFTWARECleaner2009 Freeware
    HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{D4CDC21D-43BE-4101-A1EF-E379F134771E}
    HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstallQuickInstallPack
    HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstallUCLN_install_is1 It creates an application shortcut, called "Cleaner2009 Freeware.lnk" in the desktop:
    When run, the Cleaner 2009 interface appears as follows: Additional informationProgram:Win32/Cleaner2009 reports false or exaggerated system security threats on the computer: The user is then prompted to purchase a "full version" of this fake security software.

    Analysis by Wei Li

    Last update 09 February 2009

     

    TOP

    Malware :