Home / malwarePDF  

PersonalShieldPro


First posted on 31 August 2011.
Source: SecurityHome

Aliases :

PersonalShieldPro is also known as Win32/Winwebsec (other), Rogue:Win32/Winwebsec (other), System Tool (other), MS Removal Tool (other).

Explanation :

Personal Shield Pro is a variant of Win32/Winwebsec - a family of programs that claims to scan for malware and displays fake warnings of "malicious programs and viruses". They then inform the user that he or she needs to pay money to register the software to remove these non-existent threats.

Win32/Winwebsec has been distributed with many different names. The name used by the malware, the user interface and other details vary to reflect each variant's individual branding. The following details describe Win32/Winwebsec when it is distributed with the name "Personal Shield Pro".

Warning: Win32/Winwebsec may stop affected users from running all but a short list of specified applications. This may have an adverse effect on security applications that would otherwise remove this malware. If your antivirus scanner is unable to remove this threat because of this behavior, please see the additional removal instructions below.


Top

Personal Shield Pro is a variant of Win32/Winwebsec - a family of programs that claims to scan for malware and displays fake warnings of "malicious programs and viruses". They then inform the user that he or she needs to pay money to register the software to remove these non-existent threats.

Win32/Winwebsec has been distributed with many different names. The name used by the malware, the user interface and other details vary to reflect each variant's individual branding. The following details describe Win32/Winwebsec when it is distributed with the name "Personal Shield Pro".



Installation

When distributed as "Personal Shield Pro", Win32/Winwebsec creates a folder under %Common_AppData% with a randomly-generated name (for example, "c:\documents and settings\all users\application data\oih24500iaeaj24500"). The fake scanner is copied to this folder, using the same name as that of the folder (for example "c:\documents and settings\all users\application data\oih24500iaeaj24500\oih24500iaeaj24500.exe").

It modifies the registry to ensure that the rogue is executed at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "<malware file name without the extension>" (for example, "oih24500iaeaj24500")
With data: "<malware path and file name>" (for example, "c:\documents and settings\all users\application data\oih24500iaeaj24500\oih24500iaeaj24500.exe")



Payload

Displays false/misleading malware alerts

When run, Personal Shield Pro performs a fake scan of the system, and falsely claims that a number of files on the system are infected with malware. Should users request that it clean the reported infections, it advises them that they need to pay money to register the program in order for it to do so.

Some examples of the interface, fake alerts, fake scanning results, and popups displayed by "Personal Shield Pro" are shown below:









Terminates processes
After installation, and upon each subsequent re-boot of the system, Personal Shield Pro prevents the user from launching any application by terminating its process and displaying a message that falsely claims that the process is infected.

Win32/Winwebsec, however, avoids terminating the following processes:

  • aeadisrv.exe
  • alg.exe
  • audiodg.exe
  • csrss.exe
  • conhost.exe
  • ctfmon.exe
  • dwm.exe
  • explorer.exe
  • httpd.exe
  • iastordatamgrsvc.exe
  • iexplore.exe
  • lsass.exe
  • lsm.exe
  • mfnsvc.exe
  • mdnsresponder.exe
  • nvscpapisvr.exe
  • nvvsvc.exe
  • nvsvc.exe
  • pdagent.exe
  • searchindexer.exe
  • services.exe
  • slsvc.exe
  • smss.exe
  • snort.exe
  • spoolsv.exe
  • svchost.exe
  • taskhost.exe
  • wininit.exe
  • winlogon.exe
  • wmiprvse.exe
  • winroute.exe
  • wscntfy.exe




Analysis by Hamish O'Dea

Last update 31 August 2011

 

TOP

Malware :