PUA.Win32.DefenderControl.B

 Analysis by: John Rainier Navato

 ALIASES:

Application.Hacktool.DisableDefender.F (BITDEFENDER)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Potentially Unwanted Application

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It creates certain registry entries to disable applications related to security.

  TECHNICAL DETAILS

File Size:

457,984 bytes

File Type:

EXE

Initial Samples Received Date:

22 Mar 2024

Arrival Details

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Potentially Unwanted Application adds the following folders:

  • %Program Files%\DefenderControl

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following files:

  • %User Temp%\{Random Name}.tmp
  • {Malware File Path}\{Malware File Name}.ini
  • %System%\GroupPolicy\Machine\Registry.pol
  • %System%\GroupPolicy\gpt.ini
  • %Program Files%\DefenderControl\dControl.exe
  • %Program Files%\DefenderControl\dControl.ini
  • %Desktop%\DefenderControl.lnk

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

  • %Program Files%\Windows Defender\MSASCui.exe -> if the user opts to Open Security Center

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other System Modifications

This Potentially Unwanted Application adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Defender\Exclusions\Paths
%Program Files%\DefenderControl\dControl.exe = 0

It creates the following registry entries to disable applications related to security:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender
DisableAntiSpyware = 1

(Note: The default value data of the said registry entry is {User Preference}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender
DisableAntiVirus = 1

(Note: The default value data of the said registry entry is {User Preference}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Defender\Real-Time Protection
DisableRealtimeMonitoring = 1

(Note: The default value data of the said registry entry is {User Preference}.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\WinDefend
Start = 4

(Note: The default value data of the said registry entry is {User Preference}.)

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender → if user chose Enable Windows Defender option

Other Details

This Potentially Unwanted Application adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender → if user chose Disable Windows Defender option