System Doctor 2014 is a variant of Win32/Winwebsec - a family of programs that claims to scan for malware and displays fake warnings of "malicious programs and viruses". They then inform you that you need to pay money to register the software to remove these non-existent threats. It may also terminate processes and services, modify security settings, and block access to websites.
has been distributed with many different names. The name used by the malware, the user interface and other details vary to reflect each variant's individual branding. The following details describe Win32/Winwebsec when it is distributed with the name "System Doctor 2014".
When distributed as System Doctor 2014, the malware generates an identifier of eight random alphanumeric characters (for example, NV4d4fd4). It then copies itself to %APPDATA%\<identifier>\WindowsSecurityUpdate.exe, (for example, %appdata\NV4d4fd4\WindowsSecurityUpdate.exe), then launches the new copy. This copy attempts to disable services related to Windows Defender and Windows Security Center (see below), then, once the copy has finished running, it is deleted.
The malware checks whether System Care Antivirus, a different variant of Rogue:Win32/Winwebsec, is present, and if so, it will stop running.
It then creates an additional copy of itself at %APPDATA%\<identifier>\<identifier>.exe (for example, %APPDATA%\NV4d4fd4\NV4d4fd4.exe). It also creates the following files in the same folder:
For the above example, the file names would be:
It creates the following registry entry to ensure that the new copy runs each time you start your computer:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "SD2014"
With data: <location of malware copy> (for example, %APPDATA%\NV4d4fd4\NV4d4fd4.exe)
It adds two Start Menu items at %programs%\System Doctor 2014\System Doctor 2014.lnk and %programs%\System Doctor 2014\System Doctor 2014 support.url.