W32/Wintrim

Threat risk

Threat risk medium


Detection files published: 2006-08-02	Description created: 2009-12-10	Description updated: 2009-12-10

Malware type: Trojan	Alias: TrojanDownloader.Win32.Wintrim.s, Downloader-DA.b, TrojanDownloader:Win32/Wintrim, W32/Downloader-Persis, Mal/SkimTrim-A	Spreading mechanism Other

Payload:

Summary
Spreading description
Threat description
Sandbox analysis
Removal

Summary

Wintrim is a family of trojans that display pop-up advertisements depending on the user's keywords and browsing history. Its variants can monitor the user's activities, download applications, and send system information back to a remote server.

Size: 569,100 bytes to 688,596 bytes

Spreading description

W32/Wintrim is bundled with an application called Mailskinner.

Threat description

After execution of the malware there is a installation screen shown up just like a legitimate behavior. Then it starts creating .tmp files in %WINDOWS%\TEMP, registry entries in "HKLM\Software\" to follow up files and downloading content from URL. It also creates mutants in certain variants.

Sandbox analysis

[ DetectionInfo ]
*Filename:C:\Documentsand Settings \Desktop\Sample\Current
\1727e1f703e77cf2f00a3c96bc3f93d2.exe.
* Sandbox name: .
* Signature name: NOT_SCANNED.
* Compressed: NO.
* TLS hooks: NO.
* Executable type: Application.
* Executable file structure: OK.
* Filetype: PE_I386.

[ General information ]
* File length: 569100 bytes.
* MD5 hash: 1727e1f703e77cf2f00a3c96bc3f93d2.

[ Changes to filesystem ]
* Creates directory C:\WINDOWS\TEMP\.
* Creates file C:\WINDOWS\TEMP\nsf1743.tmp.
* Deletes file C:\WINDOWS\TEMP\nsf1743.tmp.
* Creates file C:\WINDOWS\TEMP\nsz4817.tmp.
* Overwrites file C:\WINDOWS\TEMP\nsz4817.tmp.
* Creates file C:\WINDOWS\TEMP\nsh9867.tmp.
* Deletes file C:\WINDOWS\TEMP\nsh9867.tmp.
* Creates directory C:\WINDOWS\TEMP\nsh9867.tmp.
* Creates file C:\WINDOWS\TEMP\nsh9867.tmp\modern-header.bmp.
* Overwrites file C:\WINDOWS\TEMP\nsh9867.tmp\modern-wizard.bmp.
* Creates file C:\WINDOWS\TEMP\nsh9867.tmp\nsDialogs.dll.

[ Changes to registry ]
* Accesses Registry key "HKLM\Software\[removed].ORG\Free Download Manager".
* Accesses Registry key "HKLM\Software\Microsoft\Windows\CurrentVersion".
* Creates key "HKLM\Software\Speed-Downloading".
* Creates key "HKCU\Software\Speed-Downloading".
* Deletes value "nums" in key "HKLM\Software\Speed-Downloading".
* Deletes value "nums" in key "HKCU\Software\Speed-Downloading".
* Deletes value "bnrid" in key "HKLM\Software\Speed-Downloading".
* Deletes value "bnrid" in key "HKCU\Software\Speed-Downloading".
* Sets value "grpid"="1591" in key "HKLM\Software\Speed-Downloading".
* Sets value "grpid"="1591" in key "HKCU\Software\Speed-Downloading".
* Sets value "installdt"="20090708" in key "HKLM\Software\Speed-Downloading".
* Sets value "installdt"="20090708" in key "HKCU\Software\Speed-Downloading".
*Setsvalue"uai"=http://[removed] in key "HKCU\Software\Speed-Downloading".
* Deletes value "addinfo" in key "HKLM\Software\Speed-Downloading".
* Deletes value "addinfo" in key "HKCU\Software\Speed-Downloading".
* Deletes value NULL in key "HKLM\Software\Speed-Downloading".
* Deletes value NULL in key "HKCU\Software\Speed-Downloading".
* Deletes value "guid" in key "HKLM\Software\Speed-Downloading".
* Deletes value "guid" in key "HKCU\Software\Speed-Downloading".
* Sets value "dl_lg"="EN" in key "HKLM\Software\Speed-Downloading".
* Sets value "dl_lg"="EN" in key "HKCU\Software\Speed-Downloading".
* Deletes value "dl_theme" in key "HKLM\Software\Speed-Downloading".
* Deletes value "dl_theme" in key "HKCU\Software\Speed-Downloading".
* Sets value "dl_browser"="IE" in key "HKLM\Software\Speed-Downloading".
* Sets value "dl_browser"="IE" in key "HKCU\Software\Speed-Downloading".
* Accesses Registry key "HKCU\Software\Speed-Downloading".

[ Process/window information ]
* Creates a dialogbox with caption "".
* Buttons found in dialogbox: id3[166,201]"" id1[216,201]"" id2[273,201]"" .
* Button id 1 is changing text to "&Next >".
* Button id 3 is changing text to "".
* Button id 2 is changing text to "Cancel".

Removal

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Utilisation	Titre	Commentaire
	Stopper la propagation des virus sur les partages réseau
	Cleaning of back-up folders on Windows Me and XP

Imprimer la page