Win32/Adware.ThreatNuker [Threat Name]

Detection created2009-03-23
Short description

Win32/Adware.ThreatNuker is a rogue antivirus.

Installation

The adware must be manually installed.


The adware creates the following files:

  • %applicationrootfolder%\­ThreatNuker\­domains.list
  • %applicationrootfolder%\­ThreatNuker\­mfc71.dll
  • %applicationrootfolder%\­ThreatNuker\­msvcp71.dll
  • %applicationrootfolder%\­ThreatNuker\­msvcr71.dll
  • %applicationrootfolder%\­ThreatNuker\­Strings.ini
  • %applicationrootfolder%\­ThreatNuker\­ThreatNuker.chm
  • %applicationrootfolder%\­ThreatNuker\­ThreatNuker.exe
  • %applicationrootfolder%\­ThreatNuker\­Uninstall.exe

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­Software\­ThreatNuker]
    • "AID" = %data%
    • "CurrentVer" = 20002
    • "DatabaseBuild" = 1154987390
    • "DomainsLoaded" = 1
    • "InstallDir" = "%applicationrootfolder%"
    • "StartMenuFolder" = "%startmenufolder%"
  • [HKEY_CURRENT_USER\­Software\­ThreatNuker\­Layout]
  • [HKEY_CURRENT_USER\­Software\­ThreatNuker\­Whitelist]
  • [HKEY_CURRENT_USER\­Software\­ThreatNuker\­Category]
  • [HKEY_CURRENT_USER\­Software\­ThreatNuker\­Messages]
  • [HKEY_CLASSES_ROOT\­{70002935-F771-292E-3198-E5A90001316C}\­Implemented Categoties]
  • [HKEY_CLASSES_ROOT\­{70002935-F771-292E-3198-E5A90001316C}\­MiscStatus\­1]
  • [HKEY_CLASSES_ROOT\­{70002935-F771-292E-3198-E5A90001316C}\­MiscStatus\­2]
  • [HKEY_CLASSES_ROOT\­{70002935-F771-292E-3198-E5A90001316C}\­MiscStatus\­3]
  • [HKEY_CLASSES_ROOT\­{70002935-F771-292E-3198-E5A90001316C}\­Version]
  • [HKEY_CLASSES_ROOT\­CLSID\­{1334158E-0314-405F-84E2-504815415812}]
    • "d" = "%time%"
    • "m" = 1

In order to be executed on every system start, the adware sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "ThreatNuker" = "%applicationrootfolder%\­ThreatNuker.exe"
Other information

Win32/Adware.ThreatNuker is a rogue antivirus.


The adware displays fake warnings about threats detected on the compromised computer that need to be removed.


Some examples follow.

The problems/threats are fake.


The goal of the program is to persuade the user to purchase the product.


The adware keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­windows\­CurrentVersion\­Internet Settings\­ZoneMap\­Domains]

Threat Variants with Description

Please enable Javascript to ensure correct displaying of this content and refresh this page.