Recently, we have been seeing a lot of the Winwebsec rogue branded as "System Tool". Winwebsec authors have been using this brand since last year, but lately these have been seen using more aggressive campaigns.

Winwebsec is installed in a variety of ways. One of the ways is by imitating popular applications. For example, it may use the file name adobe_update_2011.exe and then the UltraEdit (editor tool) icon.

At this point, users who are familiar with Adobe should know that this is not the correct icon, and users of UltraEdit know that it doesn't come with such a file name.

adobe_update_2011.png

Upon successful installation, System Tool creates the following icon on your desktop:

System Tool 2011

And then the fake infection reports come in. The figures below show the fake infection reports that you may see when it's installed:

Warning! 38 infections found!!!

System Tool: System Scan

It also changes the desktop wallpaper to give more false warnings:

Warning! Your're in danger! Your computer is infected with spyware!

Note the misspelling of the word "Your're".

It may also display a fake error message on a blue screen; however, it's not an actual error message but merely an image made to look like an error message:

A problem has been detected and Windows has been shut down to prevent damage to your computer.

Both of these images can be found in the Temporary Files folder with random names and .TMP and .BMP extensions.

Similar to past Winwebsec variants, System Tool also prevents certain applications from running by terminating them and then displaying a fake warning that suggests that the application is infected. When Notepad is executed, for example, it displays the following popup:

Warning! Application cannot be executed. The file notepad.exe is infected. Please activate your antivirus software.

However, there are certain processes that it avoids terminating altogether as these keep the operating system running.

If you go to their main webpage, System Tool displays an online support system form page where you can file your complaints or ask for a refund.

Online support center

Of course, don't expect anything in return but more malware. Also, now the malware authors know your email address, which may be used for future attacks and spam emails.

Instead, better submit the malware samples to us through our portal.

You can use any of our products to remove the malware.

More information on what files are installed are in the System Tool description in the MMPC encyclopedia.

 

-Elda and Francis

MMPC Dublin