PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

WINWEBSE variants purport as a genuine anti-virus software by scanning the computer and showing fake warnings. These then demand payment to the users in order to register the software and remove the unwanted threats, which in actual does not exist.

  TECHNICAL DETAILS

Payload: Displays fake warnings

Installation

This Trojan drops and executes the following files:

  • %Desktop%\Security Tool.lnk
  • %Start Menu%\Programs\Security Tool.lnk
  • %All Users Profile%\{random folder name}\{random filename}.bat

(Note: %Desktop% is the desktop folder, where it usually is C:\Documents and Settings\{user name}\Desktop in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\Desktop in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Start Menu% is the Start Menu folder, where it usually is C:\Documents and Settings\{user name}\Start Menu on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %All Users Profile% is the All Users folder, where it usually is C:\Documents and Settings\All Users on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other System Modifications

This Trojan adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\{random digit}

It adds the following registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
{random name} = "%All Users Profile%\{random folder name}\{random filename}.exe" (For Windows Vista and Windows 7)

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
{random name} = "%All Users Profile%\Application Data\{random folder name}\{random filename}.exe" (For Windows XP)

HKEY_LOCAL_MACHINE\SOFTWARE\{random digit}
Grep = “{random value}”

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://91.188.60.126/set.php?url={value}&affid={value}&sts={value}&win={OS Version}
  • http://cloud.tnf.yt:443
  • http://188.165.211.6/buy2.php?affid={value}&sts={value}
  • http://72.233.65.204/buy2.php?affid={value}&sts={value}