Advisories
Vulnerability Database
PoC
Viruses
Research Lab

RegClean2Sqr

10 january, 2008

RegClean2Sqr


Updated: January 7, 2008 4:35:46 PM
Type: Misleading Application
Name: RegClean
Version: 2.7
Publisher: 2Squared
Risk Impact: Medium
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

SUMMARY

Behavior

RegClean2Sqr is a misleading application that may give exaggerated reports of errors on the computer.

Note: Virus definitions dated January 8th, 2008 or earlier may detect this application as RegClean.

Protection

  • Initial Rapid Release version January 7, 2008 revision 017
  • Latest Rapid Release version January 8, 2008 revision 006
  • Initial Daily Certified version January 7, 2008 revision 022
  • Latest Daily Certified version January 8, 2008 revision 022
  • Initial Weekly Certified release date January 9, 2008

TECHNICAL DETAILS

Behavior
The program must be manually installed.

The program reports false or exaggerated reports of errors on the computer.





The user is then prompted to pay for a full license of the application in order to remove the errors.





Installation
When the program is executed, it creates the following files:
  • %UserProfile%\Application Data\RegClean\Log\2008 Jan 07 - 12_01_02 PM_031.log
  • %UserProfile%\Application Data\RegClean\Log\2008 Jan 07 - 12_01_10 PM_843.log
  • %UserProfile%\Desktop\200defs_SR\2007-12-31_Downloader.MisleadApp_setupxv.exe.1.exe
  • %UserProfile%\Local Settings\Temp\symlcsv1.exe
  • C:\Documents and Settings\All Users\Desktop\RegClean.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\RegClean\RegClean on the Web.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\RegClean\RegClean.lnk
  • %ProgramFiles%\RegClean\DataBase.ref
  • %ProgramFiles%\RegClean\Launcher.exe
  • %ProgramFiles%\RegClean\RegClean.exe
  • %ProgramFiles%\RegClean\RegClean.url
  • %ProgramFiles%\RegClean\RegCleaner.dll
  • %ProgramFiles%\RegClean\TCL.dll
  • %ProgramFiles%\RegClean\zlib.dll
  • %Windìr%\Installer\[RANDOM NAME].msi
  • %Windìr%\Installer\{D6938AFF-30C4-409C-B667-3F6503750BB8}\Icon.exe
  • %Windìr%\Tasks\RegClean Scheduled Scan.job


It may also create temporary files.

Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"RegClean" = "%ProgramFiles%\RegClean\RegClean.exe"

The risk also creates the following entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\Program Files\RegClean\" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\Documents and Settings\All Users\Start Menu\Programs\RegClean\" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\WINDOWS\Installer\{D6938AFF-30C4-409C-B667-3F6503750BB8}\" = ""

It also creates the following registry subkeys:
  • HKEY_CURRENT_USER\Software\RegClean
  • HKEY_CLASSES_ROOT\Installer\Features\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_CLASSES_ROOT\Installer\Products\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_CLASSES_ROOT\Installer\UpgradeCodes\8E650C92721B8364BB774E25145C382A
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D6938AFF-30C4-409C-B667-3F6503750BB8}
  • HKEY_LOCAL_MACHINE\SOFTWARE\RegClean
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\350A43477F3E8D94EAB18377D1E7421D\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3D1033F8162A79449B35709F1E31AF3B\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6121E96C162F8C64BAF0CE846F8186E5\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\78A0FBA817F2FC044AE7F3078863CC1B\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8AE7DA13A8A50784EB8DB6C0C9CB5A00\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\96561E3A346665E4AA79D997C23D33FB\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9F4D2600F2086F948BF0217B8EEAF075\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B6EC329EDEB1E1F49A774B220E15682A\FFA8396D4C03C9046B76F3563057B08B

Cisco Security Advisory: Multiple Cisco WebEx WRF Player Vulnerabilities

Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) Pla ...

18 december, 2009

Cisco Security Advisory: Transport Layer Security Renegotiation Vulnerability

An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that co ...

23 november, 2009

Cisco Security Advisory: Cisco Unified Presence Denial of Service Vulnerabilities

Cisco Unified Presence contains two denial of service (DoS) vulnerabilities that may cause a ...

15 october, 2009

(MS10-002) Cumulative Security Update for Internet Explorer (978207)

This security update resolves seven privately reported vulnerabilities and one publicly disclosed vu ...

21 january, 2010

(MS10-001) Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270)

This security update resolves a privately reported vulnerability in Microsoft Windows.

12 january, 2010

(MS09-074) Vulnerability in Microsoft Office Project Could Allow Remote Code Execution (967183)

This security update resolves a privately reported vulnerability in Microsoft Office Project.

09 december, 2009

CVE-2010-0559

The default configuration of Oracle OpenSolaris snv_91 through snv_131 allows attackers to have an unspecified impact via vectors related to using kclient to join a Windows Active Directory domain.

National Vulnerability Database 05 february, 2010

CVE-2010-0558

The default configuration of Oracle OpenSolaris snv_77 through snv_131 allows attackers to have an unspecified impact via vectors related to using smbadm to join a Windows Active Directory domain.

National Vulnerability Database 05 february, 2010

CVE-2010-0557

IBM Cognos Express 9.0 allows attackers to obtain unspecified access to the Tomcat Manager component, and cause a denial of service, by leveraging hardcoded credentials.

National Vulnerability Database 05 february, 2010

CVE-2009-4185

Cross-site scripting (XSS) vulnerability in proxy/smhui/getuiinfo in HP System Management Homepage (SMH) before 6.0 allows remote attackers to inject arbitrary web script or HTML via the servercert parameter.

National Vulnerability Database 05 february, 2010

CVE-2009-2752

IBM WebSphere Commerce 7.0 does not properly encrypt data in a database, which makes it easier for local users to obtain sensitive information by defeating cryptographic protection mechanisms.

National Vulnerability Database 05 february, 2010

CVE-2009-2751

IBM WebSphere Commerce 7.0 uses the same cryptographic key for session attributes and merchant data encryption, which has unspecified impact and remote attack vectors.

National Vulnerability Database 05 february, 2010

CVE-2003-1587

Cross-site scripting (XSS) vulnerability in LoganPro allows remote attackers to inject arbitrary web script or HTML via a crafted User-Agent HTTP header.

National Vulnerability Database 05 february, 2010

CVE-2003-1586

Cross-site scripting (XSS) vulnerability in WebExpert allows remote attackers to inject arbitrary web script or HTML via a crafted User-Agent HTTP header.

National Vulnerability Database 05 february, 2010

CVE-2003-1585

Cross-site scripting (XSS) vulnerability in WebLogExpert allows remote attackers to inject arbitrary web script or HTML via a crafted client domain name, related to an "Inverse Lookup Log Corruption (ILLC)" issue.

National Vulnerability Database 05 february, 2010

CVE-2003-1584

Cross-site scripting (XSS) vulnerability in SurfStats allows remote attackers to inject arbitrary web script or HTML via a crafted client domain name, related to an "Inverse Lookup Log Corruption (ILLC)" issue.

National Vulnerability Database 05 february, 2010

CVE-2003-1583

Cross-site scripting (XSS) vulnerability in WebTrends allows remote attackers to inject arbitrary web script or HTML via a crafted client domain name, related to an "Inverse Lookup Log Corruption (ILLC)" issue.

National Vulnerability Database 05 february, 2010

CVE-2003-1582

Microsoft Internet Information Services (IIS) 6.0, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an "Inverse Lookup Log Corruption (ILLC)" issue.

National Vulnerability Database 05 february, 2010

CVE-2003-1581

The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an "Inverse Lookup Log Corruption (ILLC)" issue.

National Vulnerability Database 05 february, 2010

CVE-2003-1580

The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, uses a logging format that does not identify whether a dotted quad represents an unresolved IP address, which allows remote attackers to spoof IP addresses via crafted DNS responses containing numerical top-level domains, as demonstrated by a forged 123.123.123.123 domain name, related to an "Inverse Lookup Log Corruption (ILLC)" issue.

National Vulnerability Database 05 february, 2010

CVE-2003-1579

Sun ONE (aka iPlanet) Web Server 6 on Windows, when DNS resolution is enabled for client IP addresses, uses a logging format that does not identify whether a dotted quad represents an unresolved IP address, which allows remote attackers to spoof IP addresses via crafted DNS responses containing numerical top-level domains, as demonstrated by a forged 123.123.123.123 domain name, related to an "Inverse Lookup Log Corruption (ILLC)" issue.

National Vulnerability Database 05 february, 2010
Search
Sun Microsystems

SunOS 5.10_x86: ucode driver patch

6905530 processor microcode code can panic when retrieving microcode revision.

02 february, 2010

Security Vulnerabilities in PostgreSQL Shipped With Solaris May Allow Escalation of Privileges or Man-in-the-Middle on SSL Connections

Multiple security vulnerabilities have been identified in the PostgreSQL software shipped with Solar ...

31 december, 2009

Directory Proxy Server Provided with Directory Server Enterprise Edition 6 is Subject to Denial of Service (DoS) and May Allow Unauthorized Access to Certain Data

Directory Proxy Server Provided with Directory Server Enterprise Edition 6 is Subject to Denial of S ...

31 december, 2009

Red Hat

[RHSA-2010:0079-01] Important: kernel security and bug fix update

Red Hat Security Advisory - Important: kernel security and bug fix update

03 february, 2010

[RHSA-2010:0076-01] Important: kernel security and bug fix update

Red Hat Security Advisory - Important: kernel security and bug fix update

02 february, 2010

[RHSA-2010:0041-01] Important: kernel-rt security and bug fix update

Red Hat Security Advisory - Important: kernel-rt security and bug fix update

21 january, 2010

ÐîÑ

Linux Kernel FASYNC Use-After-Free PoC

Target: Linux kernel 2.6.x
Impact: Denial of service

Viscom Software Movie Player Pro SDK ActiveX 6.8 Remote Buffer Overflow PoC

Target: Viscom Software Movie Player Pro SDK ActiveX 6.8
Impact: Code execution

Adobe U3D CLODProgressiveMeshDeclaration Array Overrun Exploit (meta)

Target: Adobe Reader âåðñèè äî 9.3
Impact: Code execution

AdvertismentAbout ProjectContact UsCopyrightExportRSSMy SettingsMap