Security Shield is a variant of
Win32/Winwebsec - a family of programs that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.
Win32/Winwebsec has been distributed with many different names. The name used by the malware, the user interface and other details vary to reflect each variant’s individual branding. The following details describe
Win32/Winwebsec when it is distributed with the name Security Shield
.
Installation
When distributed as Security Shield,
Win32/Winwebsec copies itself to the %COMMON_APPDATA% or %APPDATA% folder with a randomly generated name (for example,
C:\Documents and Settings\All Users\Application Data\62904.exe or
C:\Documents and Settings\<user name>\Local Settings\Application Data\gcutvzlen.exe) and then launches the new copy.
It also creates the following shortcut to the rogue executable under the Start > Programs menu:
• %PROGRAMS%\Security Shield.lnk
Win32/Winwebsec displays the following message box after finishing its installation:
Payload
Displays false/misleading malware alerts
When run, the malware performs a fake scan of the system, and falsely claims that a number of files on the system are infected with malware. Should users request that it clean the reported infections, it advises them that they need to pay money to register the program in order for it to do so.
Please see below for examples of interface, fake alerts, false scanning results, and pop-ups used by
Win32/Winwebsec when distributed as Security Shield:
The malware also checks if the Internet Explorer or Mozilla Firefox web browsers are running on the system by monitoring any open window with the following class names:
-
IEFrame
-
MozillaUIWindowClass
If found, the malware displays a false Firewall message indicating that it has blocked the browser from accessing the Internet, as shown below:
Terminates processes
After installation, and upon each subsequent re-boot of the system, Security Shield prevents the user from launching any application by terminating its process and displaying a message that falsely claims that the process is infected. For instance, if notepad.exe is launched, the malware displays the following dialog:
Win32/Winwebsec, however, avoids terminating the following processes:
iexplore.exe
firefox.exe
wscntfy.exe
shutdown.exe
avcheck.exe
wuauclt.exe
soft_cleaner.exe
Modifies system settings
Analysis by David Wood