System Progressive Protection, a new malware pretending to be antivirus software, first appeared a couple of days ago. It belongs to the Winwebsec family of rogue security products. The malware is distributed by drive-by downloads or is dropped and executed by another malware. It blocks its victims from accessing any other application on an infected machine. It claims to detect infections, and displays alerts to scare users into purchasing protection. These rogue malware extort money from PC owners to “fix” their systems. In reality, this program doesn’t scan your computer at all.
Once the “scan” is complete, System Progressive Protection scares its victims by reporting some applications infected by malware. The malware also connects to IP address 112.121.178.189 through port 1214. The victim cannot run any applications at this point. The malware claims all applications are infected by some malware.
When the victim attempts to activate System Progressive Protection, a web page opens and asks for an online payment.
The malware tells its victims to enter the activation code.
After victims enter the activation code, they can again use their applications, but the fake AV still remains on the machine.
After registering, victims see a message that all the infections have been cleaned. They also get an Internet shortcut file to System Progressive Protection support.
This web page appears to offer a user guide, support, and FAQ.
The malware writes a new file (compressed with PECompact) in memory and executes it.
The encrypted data is taken from .rsrc section.
Files dropped on the victim’s machine after infection:
- %Desktopdir%\System Progressive Protection.lnk
- %Programs%\System Progressive Protection\System Progressive Protection.lnk
- %AppData%\[random]\[random].exe
Registry entries to be removed:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce “[SET OF RANDOM CHARACTERS]“
- HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Uninstall\System Progressive Protection\
Removing this rogue AV is comparatively easy. Dropped files and registry entries must be deleted. The malware blocks many of the victims’ applications but not Internet Explorer. They can still get online to seek help from antimalware websites:
Advice to Customers
Keep your systems updated with the latest patches. Ensure your antimalware protection is up to date. Use a reputable firewall. Beware of drive-by downloads when visiting any new websites.