Content

KillAndClean

Type
Program
SubType
Win32
Discovery Date
02/26/2007
Minimum DAT
4971 (02/26/2007)
Updated DAT
4971 (02/26/2007)
Minimum Engine
5.1.00
Description Added
02/26/2007
Description Modified
02/28/2007 2:27 AM (PT)

Tab Navigation

Characteristics

This is a potentially unwanted rogue anti-spyware application claiming to remove unwanted malicious spyware programs.

File:   KillAndCleanSetup.exe
Hash: 24359af32b809174d99d3d3182a3cca1
Size:  430,080 bytes

Upon execution following registry keys are added:

  •  HKEY_CURRENT_USER\Software\KillAndClean
  •  HKEY_CURRENT_USER\Software\KillAndClean\FirstRun
  •  HKEY_CURRENT_USER\Software\KillAndClean\Options
  •  HKEY_CURRENT_USER\Software\KillAndClean\Registration
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
    {BF69DF00-2734-477F-8257-27CD04F88779}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Uninstall\KillAndClean

Creates following folders:

  • %Documents and Settings%\Administrator\Start Menu\Programs\KillAndClean
  • %Program Files%\KillAndClean


Creates following files on user's system:

  • %Program Files%\KillAndClean\KillAndClean.exe
  • %Program Files%\KillAndClean\KillAndCleanUpdate.exe
  • %Program Files%\KillAndClean\sac.ico
  • %Program Files%\KillAndClean\uninstall.exe
  • %Program Files%\KillAndClean\warez.dat
  • %Program Files%\KillAndClean\wover.dat
  • %Documents and Settings\Administrator\Start Menu\Programs\KillAndClean\
    KillAndClean.lnk
  • %Documents and Settings\Administrator\Start Menu\Programs\KillAndClean\
    Uninstall.lnk

Creates following registry keys and later detects them as shown below:

  • HKEY_CLASSES_ROOT\CLSID\{7B0F01D3-671D-6F25-6ADA-A68B72E9AB08}\
    InprocServer32 "(Default)" = ssweeper.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "RtlFindVal" = JAguAr.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "Kargo" = dialer423.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "StatusCheck" = sysconf16.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "srbho" = StatusCheck.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "ftbar" = zantu.exe



If user clicks on Kill & Clean button, he is asked to register the product as shown below.



If user clicks on OK button, he is redirected to webpage where his credit card details are asked to register the product as shown below.



We caution web users from entering their card details and CVV number into these rouge anti-spyware applications seen while surfing web.

Aliases

Aliases

  • Adware.KAC (ESET)
  • KillAndClean (PestPatrol)
  • SafeandClean (Symantec)
  • Trojan.Fakealert (Doctor Web)