Security Tool is a variant of Win32/Winwebsec - a family of programs that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.
Win32/Winwebsec has been distributed with many different names. The name used by the malware, the user interface and other details vary to reflect each variant’s individual branding. The following details describe Win32/Winwebsec when it is distributed with the name Security Tool.
When distributed as Security Tool, Win32/Winwebsec creates a directory under %COMMON_APPDATA% or %APPDATA% with a randomly generated name (for example, C:\Documents and Settings\All Users\Application Data\65124927). The fake scanner is copied to this folder, using the same name as that of the folder (for example "65124927.exe" or "gcutvzlen.exe").
The registry is modified to ensure that the fake scanner is executed at each Windows start:
Adds value: "<randomly generated>" (same as the fake scanner file name, for example 65124927)
With data: "<path to rogue>" (for example, C:\Documents and Settings\All Users\Application Data\65124927\65124927.exe)
To subkey: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
It also creates the following shortcuts to the rogue executable on the desktop and under Start | Programs:
• %DESKTOPDIRECTORY%\Security Tool.lnk
• %PROGRAMS%\Security Tool.lnk
Win32/Winwebsec displays the following message box after finishing its installation:
Displays false/misleading malware alerts
When run, the malware performs a fake scan of the system, and falsely claims that a number of files on the system are infected with malware. Should users request that it clean the reported infections, it advises them that they need to pay money to register the program in order for it to do so.
Please see below for examples of interface, fake alerts, false scanning results, and pop-ups used by Win32/Winwebsec when distributed as Security Tool:
The malware also checks if the Internet Explorer or Mozilla Firefox web browsers are running on the system by monitoring any open window with the following class names:
If found, the malware displays a false Firewall message indicating that it has blocked the browser from accessing the Internet, as shown below:
After installation, and upon each subsequent re-boot of the system, Security Tool prevents the user from launching any application by terminating its process and displaying a message that falsely claims that the process is infected. For instance, if calc.exe is launched, the malware displays the following dialog:
Win32/Winwebsec, however, avoids terminating the following processes:
Modifies system settings
Trojan:Win32/Winwebsec hides all icons on the desktop, as well as removing the affected system's default desktop wallpaper by making the following registry modification
Removes value: "Wallpaper"
From subkey: HKCU\Control Panel\Desktop
Analysis by Amir Fouda