Home / malwarePDF  

System Doctor 2014


First posted on 08 July 2013.
Source: Microsoft

Aliases :

There are no other names known for System Doctor 2014.

Explanation :



System Doctor 2014 is a variant of Win32/Winwebsec - a family of programs that claims to scan for malware and displays fake warnings of "malicious programs and viruses". They then inform you that you need to pay money to register the software to remove these non-existent threats. It may also terminate processes and services, modify security settings, and block access to websites.

Win32/Winwebsec has been distributed with many different names. The name used by the malware, the user interface and other details vary to reflect each variant's individual branding. The following details describe Win32/Winwebsec when it is distributed with the name "System Doctor 2014".



Installation

When distributed as System Doctor 2014, the malware generates an identifier of eight random alphanumeric characters (for example, NV4d4fd4). It then copies itself to %APPDATA%\<identifier>\WindowsSecurityUpdate.exe, (for example, %appdata\NV4d4fd4\WindowsSecurityUpdate.exe), then launches the new copy. This copy attempts to disable services related to Windows Defender and Windows Security Center (see below), then, once the copy has finished running, it is deleted.

The malware checks whether System Care Antivirus, a different variant of Rogue:Win32/Winwebsec, is present, and if so, it will stop running.

It then creates an additional copy of itself at %APPDATA%\<identifier>\<identifier>.exe (for example, %APPDATA%\NV4d4fd4\NV4d4fd4.exe). It also creates the following files in the same folder:

  • <identifier>.ico
  • <identifier>.ini
  • <identifier>.log
  • <identifier>.lst


For the above example, the file names would be:

  • NV4d4fd4.ico
  • NV4d4fd4.ini
  • NV4d4fd4.log
  • NV4d4fd4.lst


It creates the following registry entry to ensure that the new copy runs each time you start your computer:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "SD2014"
With data: <location of malware copy> (for example, %APPDATA%\NV4d4fd4\NV4d4fd4.exe)

It adds two Start Menu items at %programs%\System Doctor 2014\System Doctor 2014.lnk and %programs%\System Doctor 2014\System Doctor 2014 support.url.



It adds a desktop shortcut for itself at %desktopdirectory%\System Doctor 2014.lnk.



It also adds a URL shortcut to the desktop at %desktopdirectory%\System Doctor 2014 support.url.



Payload

Displays fake scanner

When run, System Doctor 2014 performs a fake scan of your computer, and falsely claims that a number of files on your computer are infected with malware. Should you request that it clean the reported infections, it advises you that you need to pay money to register the program in order for it to do so.

Some examples of the interface, fake alerts, fake scanning results, and pop-ups displayed by System Doctor 2014 are shown below:















The malware may display its user interface in English, French, German, Italian, Portuguese, or Spanish, although details of the reported threats always appear in English. The following shows the Italian version of the user interface:



Disables Windows Defender and Windows Security Center services

The malware attempts to disable the WinDefend and wscsvc services associated with Windows Defender and Windows Security Center respectively.

It also checks for references to MSASCui.exe (Windows Defender) under the following registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

If these are found, it will attempt to delete the corresponding registry entry, or, if this fails, to overwrite the file path in the entry with an empty string.

It may attempt to close any system tray balloons that would normally be displayed as a result of this.

Stops processes from running

Upon installation, System Doctor 2014 prevents you from launching any application by stopping its process and displaying a message that falsely claims that the process is infected. It continues to monitor all running processes, and will stop any new process as it is launched.

Win32/Winwebsec, however, avoids terminating the following processes:

  • conhost.exe
  • dumprep.exe
  • dwm.exe
  • dwwin.exe
  • explorer.exe
  • ie4unit.exe
  • iedw.exe
  • ieuser.exe
  • iexplore.exe
  • lsass.exe
  • sdrm.exe
  • svchost.exe
  • sysdoctor.exe
  • taskeng.exe
  • userinit.exe
  • verclsid.exe
  • winlogon.exe
  • wuauclt.exe


When doing so, it may display an image such as the following:



It will not stop any process that was already running at the time the malware was launched.

The malware will also attempt to stop processes with any of the following file names, regardless of whether or not they were already running:

  • chrome.exe
  • firefox.exe
  • msconfig.exe
  • opera.exe
  • regedit.exe
  • safari.exe
  • taskmgr.exe




Analysis by David Wood

Last update 08 July 2013

 

TOP

Malware :