System Tool is a variant of Win32/Winwebsec - a family of programs that claims to scan for malware and displays fake warnings of "malicious programs and viruses". They then inform the user that he or she needs to pay money to register the software to remove these non-existent threats.
Win32/Winwebsec has been distributed with many different names. The name used by the malware, the user interface and other details vary to reflect each variant's individual branding. The following details describe Win32/Winwebsec when it is distributed with the name "System Tool".
Installation
When distributed as "System Tool", Win32/Winwebsec creates a folder under %AppData% (for a specific user or for all users) with a randomly-generated name (for example, "%AppData%\nGfKl00902"). The fake scanner is copied to this folder, using the same name as that of the folder (for example "%AppData%\nGfKl00902\nGfKl00902.exe").
It modifies the registry to ensure that the rogue is executed at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "<malware file name without the extension>" (for example, "nGfKl00902")
With data: "<malware path and file name>" (for example, "%AppData%\nGfKl00902\nGfKl00902.exe")
It also creates the following shortcuts to the rogue on the desktop and in the Start>Programs folder:
-
%HOMEPATH%\Desktop\System Tool 2011.lnk
-
%UserProfile%\Start Menu\Programs\System Tool\System Tool 2011.lnk
Payload
Displays false/misleading malware alerts
When run, System Tool performs a fake scan of the system, and falsely claims that a number of files on the system are infected with malware. Should users request that it clean the reported infections, it advises them that they need to pay money to register the program in order for it to do so.
Some examples of the interface, fake alerts, fake scanning results, and popups displayed by "System Tool" are shown below:
Terminates processes
After installation, and upon each subsequent re-boot of the system, System Tool prevents the user from launching any application by terminating its process and displaying a message that falsely claims that the process is infected. For instance, if "notepad.exe" is launched, the malware displays the following dialog:
Win32/Winwebsec, however, avoids terminating the following processes:
-
aeadisrv.exe
-
alg.exe
-
audiodg.exe
-
csrss.exe
-
conhost.exe
-
ctfmon.exe
-
dwm.exe
-
explorer.exe
-
httpd.exe
-
iastordatamgrsvc.exe
-
iexplore.exe
-
lsass.exe
-
lsm.exe
-
mfnsvc.exe
-
mdnsresponder.exe
-
nvscpapisvr.exe
-
nvvsvc.exe
-
nvsvc.exe
-
pdagent.exe
-
searchindexer.exe
-
services.exe
-
slsvc.exe
-
smss.exe
-
snort.exe
-
spoolsv.exe
-
svchost.exe
-
taskhost.exe
-
wininit.exe
-
winlogon.exe
-
wmiprvse.exe
-
winroute.exe
-
wscntfy.exe
It also changes Desktop wallpaper to the following image (located at %temp%\<random file name>.tmp):
It may also display a fake error image (located at %temp%\<random file name>.bmp)
Analysis by Elda Dimakiling