This month’s addition to the Malicious Software Removal Tool (MSRT) is a rogue security program called Trojan:Win32/Winwebsec. In most ways Winwebsec is virtually the same as most other rogues. It is often distributed through fake online scanner web pages that have a very familiar look to anyone who has spent any time looking at rogues:
This web page is virtually identical to those used by other rogues like Trojan:Win32/FakeXPA and Trojan:Win32/WinSpywareProtect. It can’t actually scan the machine; it’s entirely fake. At the end of the “scan”, or if you click anywhere on the page, it tries to load the trojan itself, which usually goes by the file name “install.exe”. If allowed to run, this installs the rogue, which generally looks like this:
Winwebsec goes by different names (“System Security” and “Winweb Security”), which is also typical of a rogue. One less common feature is that it has been known to download additional malware. For a short time it downloaded Worm:Win32/Koobface (which we added to MSRT in March). This brings us full circle: one of the ways we have seen people directed to Win32/Winwebsec’s fake online scanner is via Win32/Koobface. As Scott mentioned in his blog, Koobface can launch pop-ups which load fake online scanners. At one time it was FakeXPA, at another it was Win32/Winwebsec. Koobface doesn’t seem attached to a specific rogue.
Some variants of Winwebsec try to block execution of particular programs. Instead of containing a list of programs to block, however, they contain a list of programs to allow:
Anything not on the list won’t run. This is enough to enable the system to work (barely), but obviously stops you from running tools that might help you remove Winwebsec (even cmd.exe and taskmgr.exe are blocked, for example). This “feature” serves a dual purpose, however: it is also another way to convince you that you need to pay money for the rogue:
-- Hamish O’Dea