Attentive Antivirus is a variant of Win32/Winwebsec - a family of programs that claims to scan for malware and displays fake warnings of "malicious programs and viruses". They then inform you that you need to pay money to register the software to remove these non-existent threats. It may also stop processes and services, modify security settings, and block access to websites.
Win32/Winwebsec has been distributed with many different names. The name used by the malware, the user interface and other details vary to reflect each variant's individual branding. The following details describe Win32/Winwebsec when it is distributed with the name "Attentive Antivirus".
Installation
When distributed as Attentive Antivirus, the malware generates an identifier of seven or eight random alphanumeric characters (for example, X7gngpng). It then creates a folder with this name under the %APPDATA% or <common_appdata> folder. It creates the following files in the folder:
- <identifier>.exe - a copy of itself
- <identifier>.ico - an icon file
- <identifier>.in or <identifier><8 random characters>.in - a data file
- <identifier>.lg or <identifier><8 random characters>.lg - a data file
- <identifier>.exe.manifest - a data file
- serv.bat - an MS DOS batch script that modifies the registry and stops services; it may also be detected as Rogue:Win32/Winwebsec
Some examples are:
- <common_appdata>\X7gngpng\X7gngpng.exe
- <common_appdata>\X7gngpng\X7gngpngNwixDxva.in
- <common_appdata>\X7gngpng\X7gngpngNwixDxva.lg
- <common_appdata>\X7gngpng\X7gngpng.exe.manifest
- <common_appdata>\X7gngpng\X7gngpng.ico
- <common_appdata>\X7gngpng\serv.bat
- %APPDATA%\X7gngpng\X7gngpng.exe
- %appdata%\X7gngpng\X7gngpng.in
- %appdata%\X7gngpng\X7gngpng.lg
- %appdata%\X7gngpng\X7gngpng.exe.manifest
- %appdata%\X7gngpng\X7gngpng.ico
- %appdata%\X7gngpng\serv.bat
It creates the following registry entry so that it automatically runs every time you start your computer:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "AA2014"
With data: "<malware copy>, for example, %appdata%\X7gngpng\X7gngpng.exe"
It creates a shortcut in your desktop with the file name "Attentive Antivirus.lnk", which might look like the following:
It also creates a shortcut to a website, also in your desktop, with the file name "Attentive Antivirus support.url", which leads to the rogue's support website, and might look like the following:
It also creates these shortcuts in <start menu>\Programs\Attentive Antivirus:
Note that for each of its file names, rather than using letters from the standard Roman alphabet, any occurrence of the letter A in "Attentive Antivirus" is the Unicode character A from the Cyrillic alphabet, which looks the same as the standard Roman letter A.
Payload
Displays fake scanner
When run, Attentive Antivirus performs a fake scan of your computer, and falsely claims that a number of files on your computer are infected with malware. Should you request that it clean the reported infections, it advises you that you need to pay money to register the program in order for it to do so.
Some examples of the interface, fake alerts, fake scanning results, and pop-ups displayed by Attentive Antivirus are shown below:
The malware may display its user interface in English, French, German, Italian, Portuguese, or Spanish, although details of the reported threats always appear in English. The following shows the Italian version of the user interface:
Disables services
Upon installation, Attentive Antivirus may prevent you from running programs. It might also falsely tell you that the program is infected and that this is the reason why it can't run. It continuously monitors all running processes, and may stop any new process as it is run.
It stops these programs from running at all times:
- chrome.exe
- cmd.exe
- firefox.exe
- msconfig.exe
- opera.exe
- regedit.exe
- safari.exe
- taskmgr.exe
Because it tries to convince you that certain programs are infected, it might display this warning:
However, it does not stop programs with these process names from running:
- aeadisrv.exe
- alg.exe
- audiodg.exe
- cleaner.exe
- conhost.exe
- csrss.exe
- ctfmon.exe
- dllhost.exe
- driverquery.exe
- dumprep.exe
- dwm.exe
- dwwin.exe
- explorer.exe
- httpd.exe
- iastordatamgrsvc.exe
- ie4uinit.exe
- iedw.exe
- ieuser.exe
- iexplore.exe
- iexplorer.exe
- livesp.exe
- lsass.exe
- lsm.exe
- makecab.exe
- mdnsresponder.exe
- mfnsvc.exe
- msdtc.exe
- nvscpapisvr.exe
- nvsvc.exe
- nvvsvc.exe
- pdagent.exe
- ping.exe
- reg.exe
- relver.exe
- rundll32.exe
- sc.exe
- searchindexer.exe
- searchprotocolhost.exe
- services.exe
- slsvc.exe
- smss.exe
- snort.exe
- spoolsv.exe
- svchost.exe
- sysdoctor.exe
- systeminfo.exe
- taskeng.exe
- taskhost.exe
- userinit.exe
- verclsid.exe
- vmacthlp.exe
- vmtoolsd.exe
- werfault.exe
- wininit.exe
- winlogon.exe
- winroute.exe
- wmiprvse.exe
- wmpnetwk.exe
- wscntfy.exe
- wuauclt.exe
Stops and disables security services
This malware tries to stop the following security services from running; it also disables them so that they don't start up even if you restart your computer:
- msmpsvc (Microsoft Security Essentials)
- windefend (Windows Defender)
- wscsvc (Windows Security Center)
- wuauserv (Windows Updata)
It also tries to disable the following service:
- luafv (UAC File Virtualization Filter)
Changes security settings
The malware might try to change your computer's security settings by making a number of registry modifications. It tries to disable different Windows Security Center notifications by making these changes:
In subkey: HKLM\SOFTWARE\Microsoft\Security Center\svc
Sets value: "AntiVirusDisableNotify"
With data: "1"
Sets value: "AntiVirusOverride"
With data: "1"
Sets value: "FirewallDisableNotify" With data: "1"
Sets value: "FirewallOverride" With data: "1"
Sets value: "UpdatesDisableNotify" With data: "1"
It tries to prevent your computer from making System Restore points by making the following changes to the registry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Sets value: "RPSessionInterval"
With data: "0"
It tries to disable User Account Control (UAC) by making the following changes to the registry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
Sets value: "EnableLUA">
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system Sets value: "EnableVirtualization"
With data: "0"
It tries to prevent Windows Defender from running at startup by deleting the following entries if they are present in your registry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Deletes values: "Windows Defender", "MSASCui"
Closes windows
If you try to open one of the following windows or programs, or if any alerts are displayed by these programs, the malware might try to close them:
- fwcplui_class (Windows Firewall)
- msascui_class (Windows Defender)
- wscui_class (Windows Security Center)
Blocks access to websites
The malware tries to block your access to certain websites, however at the time of analysis the list of websites was not available. Instead, it might display a fake warning similar to this:
Analysis by David Wood
