Disk Antivirus Professional

Disk Antivirus Professional is a variant of Win32/Winwebsec - a family of programs that claims to scan for malware and displays fake warnings of "malicious programs and viruses". They then inform you that you need to pay money to register the software to remove these non-existent threats. It may also terminate processes and services, modify security settings, and block access to websites.

Win32/Winwebsec has been distributed with many different names. The name used by the malware, the user interface and other details vary to reflect each variant's individual branding. The following details describe Win32/Winwebsec when it is distributed with the name "Disk Antivirus Professional".

Installation

When distributed as Disk Antivirus Professional, the malware generates an identifier of around 32 hexadecimal characters, and uses this in its path and file names. It copies self to %common_appdata%\<identifier>\<identifier>.exe (for example, %common_appdata%\6F638BF02B17D979A3CB6D177B07D287\6F638BF02B17D979A3CB6D177B07D287.exe).

It drops an icon file to %common_appdata%\<identifier>\<identifier>.ico (for example, %common_appdata%\6F638BF02B17D979A3CB6D177B07D287\6F638BF02B17D979A3CB6D177B07D287.ico)

The rogue also creates a data file at %common_appdata%\<identifier>\<identifier> (for example, %common_appdata%\6F638BF02B17D979A3CB6D177B07D287\6F638BF02B17D979A3CB6D177B07D287)

It creates a desktop shortcut at %desktopdirectory%\Disk Antivirus Professional.lnk.

It creates a Start menu item at %programs%\Disk Antivirus Professional\Disk Antivirus Professional.lnk:

The rogue makes the following changes to the registry to ensure that it runs each time you start your computer:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: <identifier> (for example, 6F638BF02B17D979A3CB6D177B07D287)
With data: <location of malware> (for example, %common_appdata%\6F638BF02B17D979A3CB6D177B07D287\6F638BF02B17D979A3CB6D177B07D287.exe)

It also adds itself to the Add/Remove Programs list by creating the following registry entries:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Disk Antivirus Professional
Sets Value: "DisplayName"
With Data: "Disk Antivirus Professional"
Sets value: "ShortcutPath"
With data: "<location of malware>" -u (for example,  "%common_appdata%\6F638BF02B17D979A3CB6D177B07D287\6F638BF02B17D979A3CB6D177B07D287.exe" -u)
Sets value: "UninstallString"
With data: "<location of malware>" -u (for example, "%common_appdata%\6F638BF02B17D979A3CB6D177B07D287\6F638BF02B17D979A3CB6D177B07D287.exe" -u)
Sets value: "DisplayIcon"
With data: <location of icon file>,0 (for example, %common_appdata%\6F638BF02B17D979A3CB6D177B07D287\6F638BF02B17D979A3CB6D177B07D287.ico,0)

Payload

Displays false/misleading malware alerts

When run, Disk Antivirus Professional performs a fake scan of your computer, and falsely claims that a number of files on your computer are infected with malware. Should you request that it clean the reported infections, it advises you that you need to pay money to register the program in order for it to do so.

Some examples of the interface, fake alerts, fake scanning results, and pop-ups displayed by Disk Antivirus Professional are shown below:

Stops processes from running

Upon installation, Disk Antivirus Professional prevents you from launching any application by stopping its process and displaying a message that falsely claims that the process is infected. It continues to monitor all running processes, and will stop any new process as it is launched. Upon doing so, it displays a message such as the following:

Win32/Winwebsec, however, avoids terminating the following processes:

• aeadisrv.exe
• alg.exe
• audiodg.exe
• conhost.exe
• csrss.exe
• ctfmon.exe
• diskavpro.exe
• driverquery.exe
• dwm.exe
• explorer.exe
• httpd.exe
• iastordatamgrsvc.exe
• iexplore.exe
• iexplorer.exe
• livesp.exe
• lsass.exe
• lsm.exe
• makecab.exe
• mdnsresponder.exe
• mfnsvc.exe
• nvscpapisvr.exe
• nvsvc.exe
• nvvsvc.exe
• outlook.exe
• pdagent.exe
• relver.exe
• rundll32.exe
• searchindexer.exe
• services.exe
• slsvc.exe
• smartfortress.exe
• smss.exe
• snort.exe
• spoolsv.exe
• svchost.exe
• system
• systeminfo.exe
• taskhost.exe
• tasklist.exe
• vmtoolsd.exe
• werfault.exe
• wininit.exe
• winlogon.exe
• winmail.exe
• winroute.exe
• wlmail.exe
• wmiprvse.exe
• wscntfy.exe
• wuauclt.exe

It also avoids stopping any Win32/Winwebsec-related processes, or any process with a file name that has a length of exactly twenty characters, including the extension (for example, abcdef0123456789.exe).

However, it specifically targets the following processes to stop them from running:

• mpcmdrun.exe
• msascui.exe
• msmpeng.exe
• msseces.exe
• nissrv.exe

Stops and disables services 

The malware may attempt to stop and disable the following services, which are related to Windows Update, Windows Security Center, and Microsoft and AVG antivirus products:

• AVG Security Toolbar Service
• avgfws
• AVGIDSAgent
• avgwd
• msmpsvc
• windefend
• wscsvc
• wuauserv

Closes windows

Should you attempt to open one of the following windows, the rogue may attempt to close them:

• fwcplui_class (Windows Firewall)
• msascui_class (Windows Defender)
• wscui_class (Windows Security Center) 

Modifies security settings

The malware may attempt to modify your computer's security settings by making a number of registry modifications.

It attempts to disable various Windows Security Center notifications by making the following changes to the registry:

In subkey: HKLM\SOFTWARE\Microsoft\Security Center
In subkey: HKLM\SOFTWARE\Microsoft\Security Center\svc
Sets value: "AntiVirusDisableNotify"
With data: "1"
Sets value: "AntiVirusOverride"
With data: "1"
Sets value: "FirewallDisableNotify"
With data: "1"
Sets value: "FirewallOverride"
With data: "1"
Sets value: "UpdatesDisableNotify"
With data: "1"

It attempts to disable the Windows 7 Action Center by making the following changes to the registry:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "HideSCAHealth"
With data: "1"

It attempts to disable the UAC File Virtualization Filter Driver by making the following changes to the registry:

In subkey: HKLM\System\CurrentControlSet\Services\luafv
Sets value: "Start"
With data: "4"

 Disk Antivirus Professional attempts to prevent the creation of automatic System Restore points by making the following changes to the registry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Sets value: "RPSessionInterval"
With data: "0"

The rogue attempts to disable User Account Control (UAC) by making the following changes to the registry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
Sets value: "EnableLUA"
With data: "0"

It attempts to disable Windows Defender by making the following changes to the registry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows Defender
Sets value: "DisableAntiSpyware"
With Data: "1" 

Blocks access to websites

The rogue monitors for the following browsers:

• chrome.exe
• firefox.exe
• iexplore.exe
• opera.exe
• safari.exe

If any of these are running, it may periodically display a dialog such as the following:

Disk Antivirus Professional also monitors browser activity and may block access to certain sites, displaying the following text:

Warning! The site you are trying to visit may harm your computer!
Your security settings level puts your computer at risk
Activate Disk Antivirus Professional , and enable safe web surfing (recommended)
Ignore warnings and visit that site in the current state (not recommended)

Analysis by David Wood