Home / malware Program:Win32/Winwebsec
First posted on 09 February 2009.
Source: SecurityHomeAliases :
Program:Win32/Winwebsec is also known as Also Known As:System Security (other), Winweb Security (other).
Explanation :
Program:Win32/Winwebsec is a family of programs that claim to scan for malware and display fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats. Program:Win32/Winwebsec has been distributed with several different names. The user interface varies to reflect each variant’s individual branding. Note: Reports of Rogue Antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs, such as Trojan:Win32/Antivirusxp and Program:Win32/FakeRednefed may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products. Use Microsoft Windows Defender, the Windows Live safety scanner (http://onecare.live.com/site/en-us/default.htm), or another up-to-date scanning and removal tool to detect and remove these threats and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.
Symptoms
Symptoms vary among different distributions of Trojan:Win32/Rogue, however, the presence of the following system changes (or similar) may indicate the presence of this program:Presence of the following files, or similar (for example):
%COMMON_APPDATA%WinwebSecurityWinwebSecurity.exe
%COMMON_APPDATA%WinwebSecurityconfig.udb
%COMMON_APPDATA%WinwebSecurityinit.udb
%COMMON_APPDATA%WinwebSecurityLanguagesEnglish.lngPresence of the following registry modifications or similar (for example): Adds value: adpws
Adds value: "<randomly generated>" (same as the fake scanner file name, e.g. 1677291695)
With data: "<path to rogue>" (e.g. C:Documents and SettingsAll UsersApplication Data9229263191677291695.exe)
To subkey: HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Adds value: WinwebSecurity
With data: "%COMMON_APPDATA%WinwebSecurityWinwebSecurity.exe"
To subkey: HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
With data: "%COMMON_APPDATA%<random>.exe" (e.g. "%COMMON_APPDATA%5689887B.exe")
To subkey: HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUNDisplay of the following images/dialogs, or similar (for example):
Program:Win32/Winwebsec is a family of programs that claim to scan for malware and display fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats. Program:Win32/Winwebsec has been distributed with several different names. The user interface varies to reflect each variant’s individual branding. Installation details and functionality may vary slightly according to individual distributions of this rogue security program, however, differences are effectively only superficial. In the wild, Program:Win32/Winwebsec has been observed being distributed with the following names:System Security Winweb Security System SecurityWhen distributed as 'System Security', Program:Win32/Winwebsec performs the following actions.
Installation
The installer downloads a ZIP file and installs files from the ZIP. In the wild, we have observed this file being downloaded with the filename 'ws.zip' from the 'securedownloadsoftware.com' domain. It displays the following image as it downloads,and this image when it has finished installation:It then runs the fake scanner.It creates a directory under %COMMON_APPDATA% with a randomly generated name (e.g. C:Documents and SettingsAll UsersApplication Data922926319). The fake scanner is copied to this directory, also using a randomly generated file name (e.g. "1677291695.exe"). It also installs the following clean files:config.udb init.udb Langs.udb The registry is modified to ensure that the fake scanner is executed at each Windows start:Adds value: "<randomly generated>" (same as the fake scanner file name, e.g. 1677291695)
With data: "<path to rogue>" (e.g. C:Documents and SettingsAll UsersApplication Data9229263191677291695.exe)
To subkey: HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN It also creates the following shortcuts to the rogue executable on the desktop and in a new folder under Start | Programs:%DESKTOPDIRECTORY%System Security.lnk %PROGRAMS%System SecuritySystem Security.lnk See below for examples of the interface, fake alerts, false scanning results, icons and pop-ups used by Win32/Winwebsec when distributed as 'System Security': Winweb SecurityWhen distributed as 'Winweb Security', Program:Win32/Winwebsec performs the following actions.
Installation
The installer downloads a ZIP file and installs files from the ZIP. In the wild, we have observed this file being downloaded with the filename 'ws.zip' from the 'winwebsecurity.com' domain. It displays the following image as it downloads;and this image when it has finished installation:It then runs the fake scanner.It creates a directory called %COMMON_APPDATA%WinwebSecurity and drops these files there:WinwebSecurity.exe config.udb init.udb LanguagesEnglish.lng It also drops a file directly into %COMMON_APPDATA% (e.g. %COMMON_APPDATA%5689887B.exe). This component may periodically try to open a URL in Internet Explorer.The registry is also modified to ensure that the fake scanner is executed at each Windows start:Adds value: WinwebSecurity
With data: "%COMMON_APPDATA%WinwebSecurityWinwebSecurity.exe"
To subkey: HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUNAdds value: adpws
With data: "%COMMON_APPDATA%<random>.exe" (e.g. "%COMMON_APPDATA%5689887B.exe")
To subkey: HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN See below for examples of the interface, fake alerts, false scanning results, icons and pop-ups used by Win32/Winwebsec when distributed as 'Winweb Security':
Analysis by Hamish O'DeaLast update 09 February 2009
