Threat Research & Response Blog
Another new year is almost upon us. Or at least that's what the distributors of Rogue:Win32/Winwebsec would have us believe - releasing a new branding System Doctor 2014 just prior to the middle of 2013.
Figure 1: System Doctor 2014 user interface
For some time, Winwebsec has had only one branding active at a time. While there have been a number of name changes, the interface and behavior have otherwise remained mostly unchanged.
System Doctor 2014 represents a departure from this, with the previous incarnation System Care Antivirus remaining the most active and prevalent version of Winwebsec. Indeed, System Doctor 2014 even checks for signs of a System Care Antivirus installation and will stop running if it finds any.
Figure 2: System Care Antivirus user interface
The appearance and behavior of System Doctor 2014 is also somewhat different to other Winwebsec variants. In the past, most rogues have asked for payment before "removing" the fake threats they report. System Doctor 2014 successfully "cleans" some of the threats before asking for payment, but not all of them. It recommends activation in order to remove the rest of the threats for which cleaning "failed".
Figure 3: System Doctor 2014 reporting cleaning failure
Figure 4: System Doctor 2014 reporting cleaning failure
Regular readers of this blog and our encyclopedia may also notice that the names of the threats falsely reported by System Doctor 2014 have a certain resemblance to the names of threats reported by Microsoft's antimalware products. The brief descriptions of the threats also appear to be lifted directly from our encyclopedia.
For example, in Figure 3 the threat name displayed in the rogue’s detections lists Win32/Sality.XX but is referred to as Win32/Sality.AT in the description below it. Our description for Virus:Win32/Sality.AT also begins with the same sentence: "Virus:Win32/Sality.AT is a detection for a virus that spreads by infecting Windows executable files and by copying itself to removable and remote drives."
While there are differences between the two Winwebsec variants, they also have a number of behaviors in common: both have used the same custom obfuscation in an attempt to avoid detection by antimalware products, both use a similar request format when sending details of their installation to the distributors' server, and both attempt to prevent all other programs from running apart from a few that appear on a specified whitelist.
Interestingly, both variants also use exactly the same activation code.
When someone pays to register rogue software, they receive an activation code that they need to convert the rogue to the full version. Once activated, the rogue will report that it has cleaned all of the fake threats it detected earlier. It will also stop trying to block other programs from running. This can help make it easier to remove the rogue from an infected computer. Figure 4 shows the System Doctor 2014 user interface after cleaning the remaining fake threats.
Figure 5: System Doctor 2014 after its activation code has been entered
In the case of Winwebsec, all variants appear to use the same activation code. Of course, we strongly recommend that you do not ever pay to obtain an activation code.
Another approach is to use Windows Explorer to copy the file you want to run to the desktop, rename the new copy to explorer.exe or other filename on the whitelist, and run the new copy. You can find the whitelists for System Care Antivirus and System Doctor 2014 in their respective descriptions. For example, you could use this approach with Task Manager (taskmgr.exe) to end the Winwebsec process. After doing this, you should be able to perform any cleanup activities you need without further hindrance from Winwebsec.
However, the simplest method of removing Winwebsec - or any other malware that prevents you from downloading updates or running other software - is Windows Defender Offline.
The way Windows Defender Offline works is by allowing you to:
This allows you to boot from the removable media, and scan the affected computer with the latest antimalware definitions before any malware has a chance to start running.
There are more instruction on how to use this tool on the Windows Defender Offline download page.
David WoodMMPC Melbourne
How did you manage to figure out what the activation code was?