is a family of rogues that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then tell you that you need to pay money to register the software in order to remove these non-existent threats.
This trojan might display a dialog that mimics the Windows Security Center.
These pages typically present an animation of what appears to be a scan your PC. Not surprisingly, when the 'scan' is finished, it reports that your PC is infected with large numbers of different malware. An example of one of these pages can be seen below:
When the animation is finished, you are asked to download a rogue security application, detected as
, that purports to remove these bogus infections.
You might be redirected to sites hosting these fake scanning pages in several ways, including by clicking on misleading advertising, from visiting previously compromised sites or by following poisoned and subverted search results.
can also be installed by the following malware families:
We've also seen it installed alongside Win32/Sirefef and Win32/Simda.
Usually, it is installed by other malware or through exploits and social engineering. In some cases, it has been installed by spam messages, however this is rare.
The user interface and other details vary to reflect each variant's individual branding. These different distributions of the trojan use various installation methods, with file names and system modifications that can differ from one variant to the next.
Some members of the Win32/Winwebsec family might also download additional malware, like:
Current Winwebsec variants seen in the wild (as of December 2013):
brands might use icons or user interfaces similar to the following:
Recent variants of Win32/Winwebsec have been using stolen certificates to add false legitimacy to their installation. For more information, see Be a real security pro - Keep your private keys private.