System Doctor 2014: A fake AV for the upcoming year

In an effort to keep one step ahead of security solutions and attentive users, peddlers of fake AV solutions often change the name of the malware they are trying to sell.

Researchers from Microsoft’s Malware Protection Center are warning about the latest two instances: System Doctor 2014 and System Care Antivirus.

These are two variants of the same malware – detected by Microsoft as Winwebsec – but with a different look / user interface.

“While there are differences between the two Winwebsec variants, they also have a number of behaviors in common: both have used the same custom obfuscation in an attempt to avoid detection by antimalware products, both use a similar request format when sending details of their installation to the distributors’ server, and both attempt to prevent all other programs from running apart from a few that appear on a specified whitelist,” the researchers point out.

Also, both variants use the same activation code.

The System Care Antivirus is an older variant that has been around for a while now. Even thought Winwebsec creators obviously wanted to snag those customers that can be swayed by the “2014” in the newest offering’s title, System Care Antivirus is still the dominant one because System Doctor 2014 stops running if it detects it on the target computer.

It’s also interesting to note that System Doctor 2014 does not behave like your typical fake AV solution, as it seemingly does clean some of the “found” threats but, alas, it’s not able to clean them all. For that, users will have to pay up.

Once the activation code (AA39754E-715219CE) is inserted and the rogue AV’s “full” version is activated, it reports that the cleaning has now been completed. The good news is that it now stops trying to block other programs from running, and you can (and should) now easily use a legitimate AV solution to remove it from your computer.