System Progressive Protection is a variant of Win32/Winwebsec - a family of programs that claims to scan for malware and displays fake warnings of "malicious programs and viruses". They then inform you that you need to pay money to register the software to remove these non-existent threats. It may also terminate processes and services, modify security settings, and block access to websites.
Win32/Winwebsec has been distributed with many different names. The name used by the malware, the user interface and other details vary to reflect each variant's individual branding. The following details describe Win32/Winwebsec when it is distributed with the name "System Progressive Protection".
Installation
When distributed as System Progressive Protection, the malware generates an identifier of around 32 hexadecimal characters, and uses this in its path and file names. It copies self to %common_appdata%\<identifier>\<identifier>.exe (for example, %common_appdata%\6F638BF02B17D979A3CB6D177B07D287\6F638BF02B17D979A3CB6D177B07D287.exe)
It drops an icon file to %common_appdata%\<identifier>\<identifier>.ico (for example, %common_appdata%\6F638BF02B17D979A3CB6D177B07D287\6F638BF02B17D979A3CB6D177B07D287.ico)
The rogue also creates a data file at %common_appdata%\<identifier>\<identifier> (for example, %common_appdata%\6F638BF02B17D979A3CB6D177B07D287\6F638BF02B17D979A3CB6D177B07D287)
It creates a desktop shortcut at %desktopdirectory%\System Progressive Protection.lnk:
It creates a Start menu item at %programs%\System Progressive Protection\System Progressive Protection.lnk:
The rogue makes the following changes to the registry to ensure that it runs at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: <identifier> (for example, 6F638BF02B17D979A3CB6D177B07D287)
With data: <location of malware> (for example, %common_appdata%\6F638BF02B17D979A3CB6D177B07D287\6F638BF02B17D979A3CB6D177B07D287.exe)
It also adds itself to the Add/Remove Programs list by creating the following registry entries:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\System Progressive Protection
Sets Value: "DisplayName"
With Data: "System Progressive Protection"
Sets value: "ShortcutPath"
With data: "<location of malware>" -u (for example, "%common_appdata%\6F638BF02B17D979A3CB6D177B07D287\6F638BF02B17D979A3CB6D177B07D287.exe" -u)
Sets value: "UninstallString"
With data: "<location of malware>" -u (for example, "%common_appdata%\6F638BF02B17D979A3CB6D177B07D287\6F638BF02B17D979A3CB6D177B07D287.exe" -u)
Sets value: "DisplayIcon"
With data: <location of icon file>,0 (for example, %common_appdata%\6F638BF02B17D979A3CB6D177B07D287\6F638BF02B17D979A3CB6D177B07D287.ico,0)
Payload
Displays false/misleading malware alerts
When run, System Progressive Protection performs a fake scan of your computer, and falsely claims that a number of files on your computer are infected with malware. Should you request that it clean the reported infections, it advises you that you need to pay money to register the program in order for it to do so.
Some examples of the interface, fake alerts, fake scanning results, and pop-ups displayed by System Progressive Protection are shown below:
Terminates processes
Upon installation, System Progressive Protection prevents you from launching any application by terminating its process and displaying a message that falsely claims that the process is infected. It continues to monitor all running processes, and will terminate any new process as it is launched. Upon doing so, it displays a message such as the following:
Win32/Winwebsec, however, avoids terminating the following processes:
- aeadisrv.exe
- alg.exe
- audiodg.exe
- conhost.exe
- csrss.exe
- ctfmon.exe
- driverquery.exe
- dwm.exe
- explorer.exe
- httpd.exe
- iastordatamgrsvc.exe
- iexplore.exe
- iexplorer.exe
- livesp.exe
- lsass.exe
- lsm.exe
- makecab.exe
- mdnsresponder.exe
- mfnsvc.exe
- nvscpapisvr.exe
- nvsvc.exe
- nvvsvc.exe
- outlook.exe
- pdagent.exe
- relver.exe
- rundll32.exe
- searchindexer.exe
- services.exe
- slsvc.exe
- smartfortress.exe
- smss.exe
- snort.exe
- spoolsv.exe
- svchost.exe
- system
- systeminfo.exe
- taskhost.exe
- tasklist.exe
- werfault.exe
- wininit.exe
- winlogon.exe
- winmail.exe
- winroute.exe
- wlmail.exe
- wmiprvse.exe
- wscntfy.exe
- wuauclt.exe
It also avoids terminating any Win32/Winwebsec-related processes, or any process with a file name that has a length of exactly twenty characters, including the extension (for example, abcdef0123456789.exe).
It also specifically targets the following processes for termination:
- mpcmdrun.exe
- msascui.exe
- msmpeng.exe
- msseces.exe
- nissrv.exe
Stops and disables services
The malware may attempt to stop and disable the following services, which are related to Windows Update, Windows Security Center, and Microsoft and AVG antivirus products:
- AVG Security Toolbar Service
- avgfws
- AVGIDSAgent
- avgwd
- msmpsvc
- windefend
- wscsvc
- wuauserv
Closes windows
Should you attempt to open one of the following windows, the rogue may attempt to close them:
- fwcplui_class (Windows Firewall)
- msascui_class (Windows Defender)
- wscui_class (Windows Security Center)
Modifies security settings
The malware may attempt to modify your computer's security settings by making a number of registry modifications.
It attempts to disable various Windows Security Center notifications by making the following changes to the registry:
In subkey: HKLM\SOFTWARE\Microsoft\Security Center
In subkey: HKLM\SOFTWARE\Microsoft\Security Center\svc
Sets value: "AntiVirusDisableNotify"
With data: "1"
Sets value: "AntiVirusOverride"
With data: "1"
Sets value: "FirewallDisableNotify"
With data: "1"
Sets value: "FirewallOverride"
With data: "1"
Sets value: "UpdatesDisableNotify"
With data: "1"
It attempts to disable the Windows 7 Action Center by making the following changes to the registry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "HideSCAHealth"
With data: "1"
It attempts to disable the UAC File Virtualization Filter Driver by making the following changes to the registry:
In subkey: HKLM\System\CurrentControlSet\Services\luafv
Sets value: "Start"
With data: "4"
System Progressive Protection attempts to prevent the creation of automatic System Restore points by making the following changes to the registry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Sets value: "RPSessionInterval"
With data: "0"
The rogue attempts to disable User Account Control (UAC) by making the following changes to the registry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
Sets value: "EnableLUA"
With data: "0"
It attempts to disable Windows Defender by making the following changes to the registry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows Defender
Sets value: "DisableAntiSpyware"
With Data: "1"
Blocks access to websites
The rogue monitors for the following browsers:
- chrome.exe
- firefox.exe
- iexplore.exe
- opera.exe
- safari.exe
If any of these are running, it may periodically display a dialog such as the following:
System Progressive Protection also monitors browser activity and may block access to certain sites, displaying the following text:
Warning! The site you are trying to visit may harm your computer!
Your security settings level puts your computer at risk
Activate System Progressive Protection, and enable safe web surfing (recommended)
Ignore warnings and visit that site in the current state (not recommended)
Analysis by David Wood