Win32/Winwebsec is a family of programs that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then tell you that you need to pay money to register the software in order to remove these non-existent threats.
This trojan might display a dialog that mimics the Windows Security Center.
Win32/Winwebsec has been distributed with many different names, and in a number of different ways. We have seen it installed by the following malware families:
We've also seen it installed alongside Win32/Sirefef and Win32/Simda.
Usually, it is installed by other malware or through exploits and social engineering. In some cases, it has been installed by spam messages, however this is rare.
The user interface and other details vary to reflect each variant's individual branding. These different distributions of the trojan use various installation methods, with file names and system modifications that can differ from one variant to the next.
Some members of the Win32/Winwebsec family might also download additional malware, such as:
Current Winwebsec variants seen in the wild (as of December 2013):
brands might use icons or user interfaces similar to the following:
Recent variants of Win32/Winwebsec have been using stolen certificates to add false legitimacy to their installation. For more information, see Be a real security pro - Keep your private keys private.
Symptons vary from variant to variant. See the specific encyclopedia descriptions for more information.