Threat Information for "UAC Rootkit"

StopSign will automatically remove this infection with a paid membership.

• Name: UAC Rootkit
• Aliases:
• Date Discovered: 2009-03-30
• Protection Added: 2009-04-02

-- Ease of Removal

1: Creates new registry entries with consistent data
2: Consistent file contents
3: Consistently named
4: Uses rootkit functionality
5: Hides registry entries
6: Hides files
7: Hides running processes
8: Runs as a service
9: Injects DLLs into running processes
10: Uses redundant/watcher processes

-- Privacy Risks/Security Changes

1: Disables security software
2: Disables administrator tools
3: Logs browsing habits and visited websites
4: Mimics legitimate file names

-- Damage/Intrusion/Annoyance

1: Silently modifies other programs' information or website content as displayed
2: Displays targeted popup advertisements
3: Changes browser search settings
4: Significantly slows down the computer
5: Creates new files
6: Autoruns at startup without an option to be disabled

-- Propagation/Saturation

1: Infects with other exploitation method
2: Infects from a link in an email
3: Infects from an email attachment
4: Installed by other infections

• Added Directory/File:
  FilePath: %SYSTEMDIR%\uac*.*
• Added Directory/File:
  FilePath: %SYSTEMDIR%\drivers\UACd.sys
• Added Registry Key:
  Key: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\UACd.sys
• Added Registry Key:
  Key: HKLM\SYSTEM\CurrentControlSet\Services\UACd
• Added Registry Key:
  Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UACdcmd
• Added Registry Key:
  Key: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UACd.sys
• Added Registry Key:
  Key: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UACd
• Added Registry Key:
  Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UACddata