Categorized | Microsoft

Are you using the right “System Tool”?

Recently, we have been seeing a lot of the Winwebsec rogue branded as “System Tool“. Winwebsec authors have been using this brand since last year, but lately these have been seen using more aggressive campaigns.

Winwebsec is installed in a variety of ways. One of the ways is by imitating popular applications. For example, it may use the file name adobe_update_2011.exe and then the UltraEdit (editor tool) icon.

At this point, users who are familiar with Adobe should know that this is not the correct icon, and users of UltraEdit know that it doesn’t come with such a file name.

adobe_update_2011.png

Upon successful installation, System Tool creates the following icon on your desktop:

System Tool 2011

And then the fake infection reports come in. The figures below show the fake infection reports that you may see when it’s installed:

Warning! 38 infections found!!!

System Tool: System Scan

It also changes the desktop wallpaper to give more false warnings:

Warning! Your're in danger! Your computer is infected with spyware!

Note the misspelling of the word “Your’re”.

It may also display a fake error message on a blue screen; however, it’s not an actual error message but merely an image made to look like an error message:

A problem has been detected and Windows has been shut down to prevent damage to your computer.

Both of these images can be found in the Temporary Files folder with random names and .TMP and .BMP extensions.

Similar to past Winwebsec variants, System Tool also prevents certain applications from running by terminating them and then displaying a fake warning that suggests that the application is infected. When Notepad is executed, for example, it displays the following popup:

Warning! Application cannot be executed. The file notepad.exe is infected. Please activate your antivirus software.

However, there are certain processes that it avoids terminating altogether as these keep the operating system running.

If you go to their main webpage, System Tool displays an online support system form page where you can file your complaints or ask for a refund.

Online support center

Of course, don’t expect anything in return but more malware. Also, now the malware authors know your email address, which may be used for future attacks and spam emails.

Instead, better submit the malware samples to us through our portal.

You can use any of our products to remove the malware.

More information on what files are installed are in the System Tool description in the MMPC encyclopedia.

 

-Elda and Francis

MMPC Dublin

Related Posts
  • System Tool 2011
    System Tool 2011 is a rogue security product that pretends to find malicious code on a victim’s machine in order to frighten him or her into purchasing a useless application. It’s a clone of the 2008...
  • How to remove System Tool
    Malwarebytes’ Anti-Malware detects and removes a new application called System Tool. How do I know if I am infected with System Tool? This is how the main screen of the rogue application looks: ...
  • One more Adobe 0-day vulnerability using Office files
    Today Adobe announced a new 0-day vulnerability (CVE-2011-0611) in Adobe Flash Player and Adobe Acrobat that, similar to the previous 0-day from less than a month ago, was found embedded in a Microsof...
  • Global Spam Botnet Tracking Report (first quarter 2011)
    The following data are the result of the monitoring and recording process made by spam sensors spread all around the world to provide the trend of security in terms of compromised systems. Spam sensor...
  • 3 Tools to Scan the File System With Custom Malware Signatures
    When analyzing malware discovered during a security incident, the investigator often formulates indicators of compromise (IOCs): the signs of infection that can help the enterprise determine what sys...
  • Attack Using CVE-2011-0609
    Attackers have been taking advantage of the situation in Japan to trick their targets into opening malicious files. These cases have used infected Excel attachments with Flash exploits. Here's a sc...
  • Fake System Optimizer with special messages
    When analyzing malware, we often look for strings within the malware samples. Those give some interesting insights about the malware, its creators or the targets, for example. While poking into a fake...
  • Using Twitter for Public Relations During a Data Breach Incident
    Data breaches happen to organizations of all shapes and sizes. A critical aspect of such security incidents is the manner in which the company handles public relations (PR), keeping affected customer...
  • Windows Servant System Adware Removal Instructions
    The Emsisoft malware research team has discovered a new outbreak of the Windows Servant System adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsServantSystem. Windows S...
  • Trojanized Security Tool Serves as Backdoor App
    I recently posted an entry about Trojanized applications that were found in the Android Market. About 50 repackaged versions of legitimate apps were pulled from the Android Market after being found in...

Posted on 29 March 2011. Tags: , , ,

The above information is reprinted from and copyrighted © by Microsoft.


Comments are closed.


Security Status

Beware Facebook "Timeline" scams http://t.co/W5EW0cVv
4 months ago
Nigerian government (unknowingly) hosts phishing website http://t.co/uQd42ENw
4 months ago
PCMag Awards McAfee All Access its Editors’ Choice: SANTA CLARA, Calif.--(BUSINESS WIRE)--McAfee today announced... http://t.co/FakV7Vd8
4 months ago
RT @mikko: I hadn't noticed Google Maps has added 3D models of buildings. Here's a (very accurate) view of F-Secure HQ in Helsinki http://t.co/IKfAZlak
4 months ago
North Koreans aren't known for their online presence. But others may be lured into clicking Kim Jong-Il 'videos' too http://t.co/yQOon6YT
4 months ago
How to Protect Your Professional Reputation on Facebook Timeline http://t.co/I4bcR2VN
4 months ago
This is pretty impressive from @Softpedia: Facebook scans 2 trillion link clicks and blocks 220 million posts each day http://t.co/vKsn9gNl
4 months ago
Need for integrated approach to security in industrial control systems - http://t.co/tPBCNOow with @PikeResearch
4 months ago
Some free-based music we play at work http://t.co/xu5agZfc
4 months ago
Japan’s cyber defense weapon: a virus. It includes quotes by @Luis_Corrons via @InfosecurityMag
4 months ago