Advisories
Vulnerability Database
PoC
Viruses
Research Lab

RegClean2Sqr

10 january, 2008

RegClean2Sqr


Updated: January 7, 2008 4:35:46 PM
Type: Misleading Application
Name: RegClean
Version: 2.7
Publisher: 2Squared
Risk Impact: Medium
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

SUMMARY

Behavior

RegClean2Sqr is a misleading application that may give exaggerated reports of errors on the computer.

Note: Virus definitions dated January 8th, 2008 or earlier may detect this application as RegClean.

Protection

  • Initial Rapid Release version January 7, 2008 revision 017
  • Latest Rapid Release version January 8, 2008 revision 006
  • Initial Daily Certified version January 7, 2008 revision 022
  • Latest Daily Certified version January 8, 2008 revision 022
  • Initial Weekly Certified release date January 9, 2008

TECHNICAL DETAILS

Behavior
The program must be manually installed.

The program reports false or exaggerated reports of errors on the computer.





The user is then prompted to pay for a full license of the application in order to remove the errors.





Installation
When the program is executed, it creates the following files:
  • %UserProfile%\Application Data\RegClean\Log\2008 Jan 07 - 12_01_02 PM_031.log
  • %UserProfile%\Application Data\RegClean\Log\2008 Jan 07 - 12_01_10 PM_843.log
  • %UserProfile%\Desktop\200defs_SR\2007-12-31_Downloader.MisleadApp_setupxv.exe.1.exe
  • %UserProfile%\Local Settings\Temp\symlcsv1.exe
  • C:\Documents and Settings\All Users\Desktop\RegClean.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\RegClean\RegClean on the Web.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\RegClean\RegClean.lnk
  • %ProgramFiles%\RegClean\DataBase.ref
  • %ProgramFiles%\RegClean\Launcher.exe
  • %ProgramFiles%\RegClean\RegClean.exe
  • %ProgramFiles%\RegClean\RegClean.url
  • %ProgramFiles%\RegClean\RegCleaner.dll
  • %ProgramFiles%\RegClean\TCL.dll
  • %ProgramFiles%\RegClean\zlib.dll
  • %Windìr%\Installer\[RANDOM NAME].msi
  • %Windìr%\Installer\{D6938AFF-30C4-409C-B667-3F6503750BB8}\Icon.exe
  • %Windìr%\Tasks\RegClean Scheduled Scan.job


It may also create temporary files.

Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"RegClean" = "%ProgramFiles%\RegClean\RegClean.exe"

The risk also creates the following entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\Program Files\RegClean\" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\Documents and Settings\All Users\Start Menu\Programs\RegClean\" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\WINDOWS\Installer\{D6938AFF-30C4-409C-B667-3F6503750BB8}\" = ""

It also creates the following registry subkeys:
  • HKEY_CURRENT_USER\Software\RegClean
  • HKEY_CLASSES_ROOT\Installer\Features\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_CLASSES_ROOT\Installer\Products\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_CLASSES_ROOT\Installer\UpgradeCodes\8E650C92721B8364BB774E25145C382A
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D6938AFF-30C4-409C-B667-3F6503750BB8}
  • HKEY_LOCAL_MACHINE\SOFTWARE\RegClean
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\350A43477F3E8D94EAB18377D1E7421D\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3D1033F8162A79449B35709F1E31AF3B\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6121E96C162F8C64BAF0CE846F8186E5\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\78A0FBA817F2FC044AE7F3078863CC1B\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8AE7DA13A8A50784EB8DB6C0C9CB5A00\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\96561E3A346665E4AA79D997C23D33FB\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9F4D2600F2086F948BF0217B8EEAF075\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B6EC329EDEB1E1F49A774B220E15682A\FFA8396D4C03C9046B76F3563057B08B

Cisco Security Advisory: Multiple Vulnerabilities in Cisco IronPort Encryption Appliance

Cisco IronPort Encryption Appliance devices contain two vulnerabilities that allow remote, unauthent ...

11 february, 2010

Cisco Security Advisory: Multiple Cisco WebEx WRF Player Vulnerabilities

Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) Pla ...

18 december, 2009

Cisco Security Advisory: Transport Layer Security Renegotiation Vulnerability

An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that co ...

23 november, 2009

MS10-017: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (980150)

This security update resolves seven privately reported vulnerabilities in Microsoft Office Excel.

09 march, 2010

MS10-016: Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (975561)

This security update addresses a privately reported vulnerability in Windows Movie Maker and Microso ...

09 march, 2010

MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165)

This security update resolves one publicly disclosed and one privately reported vulnerability in Mic ...

10 february, 2010

CVE-2010-0054

Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving HTML IMG elements.

National Vulnerability Database 15 march, 2010

CVE-2010-0053

Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to the run-in Cascading Style Sheets (CSS) display property.

National Vulnerability Database 15 march, 2010

CVE-2010-0052

Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to "callbacks for HTML elements."

National Vulnerability Database 15 march, 2010

CVE-2010-0051

WebKit in Apple Safari before 4.0.5 does not properly validate the cross-origin loading of stylesheets, which allows remote attackers to obtain sensitive information via a crafted HTML document.  NOTE: this might overlap CVE-2010-0651.

National Vulnerability Database 15 march, 2010

CVE-2010-0050

Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an HTML document with improperly nested tags.

National Vulnerability Database 15 march, 2010

CVE-2010-0049

Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via HTML elements with right-to-left (RTL) text directionality.

National Vulnerability Database 15 march, 2010

CVE-2010-0624

Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character.

National Vulnerability Database 15 march, 2010

CVE-2010-0396

Directory traversal vulnerability in the dpkg-source component in dpkg before 1.14.29 allows remote attackers to modify arbitrary files via a crafted Debian source archive.

National Vulnerability Database 15 march, 2010

CVE-2010-0124

Employee Timeclock Software 0.99 places the database password on the mysqldump command line, which allows local users to obtain sensitive information by listing the process.

National Vulnerability Database 15 march, 2010

CVE-2010-0123

The database backup implementation in Employee Timeclock Software 0.99 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for a "semi-predictable file name."

National Vulnerability Database 15 march, 2010

CVE-2010-0122

Multiple SQL injection vulnerabilities in Employee Timeclock Software 0.99 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameter to (a) auth.php or (b) login_action.php.

National Vulnerability Database 15 march, 2010

CVE-2010-0048

Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted XML document.

National Vulnerability Database 15 march, 2010

CVE-2010-0047

Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to "HTML object element fallback content."

National Vulnerability Database 15 march, 2010

CVE-2010-0046

The Cascading Style Sheets (CSS) implementation in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted format arguments.

National Vulnerability Database 15 march, 2010

CVE-2010-0045

Apple Safari before 4.0.5 on Windows does not properly validate external URL schemes, which allows remote attackers to open local files and execute arbitrary code via a crafted HTML document.

National Vulnerability Database 15 march, 2010
Search
Sun Microsystems

SunOS 5.10_x86: ucode driver patch

6905530 processor microcode code can panic when retrieving microcode revision.

02 february, 2010

Security Vulnerabilities in PostgreSQL Shipped With Solaris May Allow Escalation of Privileges or Man-in-the-Middle on SSL Connections

Multiple security vulnerabilities have been identified in the PostgreSQL software shipped with Solar ...

31 december, 2009

Directory Proxy Server Provided with Directory Server Enterprise Edition 6 is Subject to Denial of Service (DoS) and May Allow Unauthorized Access to Certain Data

Directory Proxy Server Provided with Directory Server Enterprise Edition 6 is Subject to Denial of S ...

31 december, 2009

Red Hat

[RHSA-2010:0130-01] Moderate: java-1.5.0-ibm security update

Red Hat Security Advisory - Moderate: java-1.5.0-ibm security update

03 march, 2010

[RHSA-2010:0129-01] Moderate: cups security update

Red Hat Security Advisory - Moderate: cups security update

03 march, 2010

[RHSA-2010:0126-01] Important: kvm security and bug fix update

Red Hat Security Advisory - Important: kvm security and bug fix update

01 march, 2010

ÐîÑ

Microsoft Windows 2000/XP CHM Notepad Remote Code Execution PoC

Target: Microsoft Windows 2000/XP
Impact: Denial of service

Microsoft Internet Explorer iepeers.dll Use After Free Exploit (meta)

Target: Microsoft Internet Explorer 6.x, 7.x
Impact: Code execution

MS05-20 Internet Explorer DHTML Memory Corruption PoC

Target: Internet Explorer
Impact: Denial of service

AdvertismentAbout ProjectContact UsCopyrightExportRSSMy SettingsMap