Win32/Winwebsec has been distributed with many different names. The name used by the malware, the user interface and other details change to reflect each variant's individual branding. The following details describe Win32/Winwebsec when it is distributed with the name "Antiviral Factory 2013".
Installation
Antiviral Factory 2013 generates an identifier of about 32 hexadecimal characters, and uses this in its path and file names, for example 6F638BF02B17D979A3CB6D177B07D287.
It creates a folder with the identifier as its name in the %common_appdata% folder, into which it copies itself as a .exe file, drops an icon (.ico) file, and creates a data file (with no extension). It uses the same identifier for the file names.
It creates a desktop shortcut with the file name Antiviral Factory 2013.lnk, which looks like the following:
It creates a shortcut in <start menu>/Programs/Antiviral Factory 2013\Antiviral Factory 2013.lnk:
The rogue makes the following changes to the registry to ensure that it runs each time you start your computer:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "<identifier>" (for example, "6F638BF02B17D979A3CB6D177B07D287")
With data: "<location and file name of malware>"
Payload
Shows false and misleading malware alerts
Antiviral Factory 2013 does a fake scan of your computer, and falsely claims that a number of files on your computer are infected with malware. If you try to clean the reported infections with the program, it says that you must pay money.
The following are some examples of what the program looks like, the fake alerts and scanning results it shows, and the pop-ups it displays:
Stops processes
The program prevents you from running any program by stopping its process and displaying a message that falsely claims the process is infected:
It specifically targets the following processes to stop them from running:
- mpcmdrun.exe
- msascui.exe
- msmpeng.exe
- msseces.exe
- nissrv.exe
It does not stop or close the following processes:
- aeadisrv.exe
- alg.exe
- audiodg.exe
- conhost.exe
- csrss.exe
- ctfmon.exe
- diskavpro.exe
- driverquery.exe
- dwm.exe
- explorer.exe
- httpd.exe
- iastordatamgrsvc.exe
- iexplore.exe
- iexplorer.exe
- livesp.exe
- lsass.exe
- lsm.exe
- makecab.exe
- mdnsresponder.exe
- mfnsvc.exe
- nvscpapisvr.exe
- nvsvc.exe
- nvvsvc.exe
- outlook.exe
- pdagent.exe
- relver.exe
- rundll32.exe
- searchindexer.exe
- services.exe
- slsvc.exe
- smartfortress.exe
- smss.exe
- snort.exe
- spoolsv.exe
- svchost.exe
- system
- systeminfo.exe
- taskhost.exe
- tasklist.exe
- vmtoolsd.exe
- werfault.exe
- wininit.exe
- winlogon.exe
- winmail.exe
- winroute.exe
- wlmail.exe
- wmiprvse.exe
- wscntfy.exe
- wuauclt.exe
It also avoids stopping any Win32/Winwebsec-related processes, or any process with a file name that has a length of exactly twenty characters, including the extension (for example, abcdef0123456789.exe).
Stops and disables services
The malware may try to stop and disable the following services, which are related to Windows Update, Windows Security Center, and Microsoft and AVG antivirus products:
- AVG Security Toolbar Service
- avgfws
- AVGIDSAgent
- avgwd
- msmpsvc
- windefend
- wscsvc
- wuauserv
Closes windows
If you try open one of the following windows or programs, the rogue may try to close them:
- fwcplui_class (Windows Firewall)
- msascui_class (Windows Defender)
- wscui_class (Windows Security Center)
Modifies security settings
The malware may try to modify your computer's security settings by making a number of registry modifications.
It tries to disable various Windows Security Center notifications by making the following changes to the registry:
In subkey: HKLM\SOFTWARE\Microsoft\Security Center
In subkey: HKLM\SOFTWARE\Microsoft\Security Center\svc
Sets value: "AntiVirusDisableNotify"
With data: "1"
Sets value: "AntiVirusOverride"
With data: "1"
Sets value: "FirewallDisableNotify"
With data: "1"
Sets value: "FirewallOverride"
With data: "1"
Sets value: "UpdatesDisableNotify"
With data: "1"
It tries to disable the Windows 7 Action Center by making the following changes to the registry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "HideSCAHealth"
With data: "1"
It tries to disable the UAC File Virtualization Filter Driver by making the following changes to the registry:
In subkey: HKLM\System\CurrentControlSet\Services\luafv
Sets value: "Start"
With data: "4"
It tries to prevent the creation of automatic System Restore points by making the following changes to the registry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Sets value: "RPSessionInterval"
With data: "0"
It tries to disable User Account Control (UAC) by making the following changes to the registry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
Sets value: "EnableLUA"
With data: "0"
It tries to disable Windows Defender by making the following changes to the registry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows Defender
Sets value: "DisableAntiSpyware"
With Data: "1"
Blocks access to websites
The program monitors for the following browsers:
- chrome.exe
- firefox.exe
- iexplore.exe
- opera.exe
- safari.exe
If any of these are running, it may periodically display a dialog such as the following:
The program also monitors browser activity and may block access to certain sites, displaying the following message:
Warning! The site you are trying to visit may harm your computer!
Your security settings level puts your computer at risk
Activate Antiviral Factory 2013, and enable safe web surfing (recommended)
Ignore warnings and visit that site in the current state (not recommended)
Analysis by David Wood
