- SandBox Information Center
- Malware Analysis Search
- Articoli sulla sicurezza
- Blog sulla sicurezza [EN]
- Livello di pericolosità [EN]
- Minacce attuali di virus
- Tipi di malware [EN]
- Descrizione dei virus [EN]
- Statistiche sulla posta elettronica [EN]
- Testi, white paper generici ed altro
- La tecnologia Norman
W32/Wintrim
Threat risk
|
Detection files published:
2006-08-02 |
Description created:
2009-12-10 |
Description updated:
2009-12-10 |
|
Alias:
TrojanDownloader.Win32.Wintrim.s, Downloader-DA.b, TrojanDownloader:Win32/Wintrim, W32/Downloader-Persis, Mal/SkimTrim-A |
Spreading mechanism
Other | |
|
Payload:
| ||
Summary
Wintrim is a family of trojans that display pop-up advertisements depending on the user's keywords and browsing history. Its variants can monitor the user's activities, download applications, and send system information back to a remote server.
Size: 569,100 bytes to 688,596 bytes
Spreading description
W32/Wintrim is bundled with an application called Mailskinner.
Threat description
After execution of the malware there is a installation screen shown up just like a legitimate behavior. Then it starts creating .tmp files in %WINDOWS%\TEMP, registry entries in "HKLM\Software\" to follow up files and downloading content from URL. It also creates mutants in certain variants.
Sandbox analysis
[ DetectionInfo ]
*Filename:C:\Documentsand Settings \Desktop\Sample\Current
\1727e1f703e77cf2f00a3c96bc3f93d2.exe.
* Sandbox name: .
* Signature name: NOT_SCANNED.
* Compressed: NO.
* TLS hooks: NO.
* Executable type: Application.
* Executable file structure: OK.
* Filetype: PE_I386.
[ General information ]
* File length: 569100 bytes.
* MD5 hash: 1727e1f703e77cf2f00a3c96bc3f93d2.
[ Changes to filesystem ]
* Creates directory C:\WINDOWS\TEMP\.
* Creates file C:\WINDOWS\TEMP\nsf1743.tmp.
* Deletes file C:\WINDOWS\TEMP\nsf1743.tmp.
* Creates file C:\WINDOWS\TEMP\nsz4817.tmp.
* Overwrites file C:\WINDOWS\TEMP\nsz4817.tmp.
* Creates file C:\WINDOWS\TEMP\nsh9867.tmp.
* Deletes file C:\WINDOWS\TEMP\nsh9867.tmp.
* Creates directory C:\WINDOWS\TEMP\nsh9867.tmp.
* Creates file C:\WINDOWS\TEMP\nsh9867.tmp\modern-header.bmp.
* Overwrites file C:\WINDOWS\TEMP\nsh9867.tmp\modern-wizard.bmp.
* Creates file C:\WINDOWS\TEMP\nsh9867.tmp\nsDialogs.dll.
[ Changes to registry ]
* Accesses Registry key "HKLM\Software\[removed].ORG\Free Download Manager".
* Accesses Registry key "HKLM\Software\Microsoft\Windows\CurrentVersion".
* Creates key "HKLM\Software\Speed-Downloading".
* Creates key "HKCU\Software\Speed-Downloading".
* Deletes value "nums" in key "HKLM\Software\Speed-Downloading".
* Deletes value "nums" in key "HKCU\Software\Speed-Downloading".
* Deletes value "bnrid" in key "HKLM\Software\Speed-Downloading".
* Deletes value "bnrid" in key "HKCU\Software\Speed-Downloading".
* Sets value "grpid"="1591" in key "HKLM\Software\Speed-Downloading".
* Sets value "grpid"="1591" in key "HKCU\Software\Speed-Downloading".
* Sets value "installdt"="20090708" in key "HKLM\Software\Speed-Downloading".
* Sets value "installdt"="20090708" in key "HKCU\Software\Speed-Downloading".
*Setsvalue"uai"=http://[removed] in key "HKCU\Software\Speed-Downloading".
* Deletes value "addinfo" in key "HKLM\Software\Speed-Downloading".
* Deletes value "addinfo" in key "HKCU\Software\Speed-Downloading".
* Deletes value NULL in key "HKLM\Software\Speed-Downloading".
* Deletes value NULL in key "HKCU\Software\Speed-Downloading".
* Deletes value "guid" in key "HKLM\Software\Speed-Downloading".
* Deletes value "guid" in key "HKCU\Software\Speed-Downloading".
* Sets value "dl_lg"="EN" in key "HKLM\Software\Speed-Downloading".
* Sets value "dl_lg"="EN" in key "HKCU\Software\Speed-Downloading".
* Deletes value "dl_theme" in key "HKLM\Software\Speed-Downloading".
* Deletes value "dl_theme" in key "HKCU\Software\Speed-Downloading".
* Sets value "dl_browser"="IE" in key "HKLM\Software\Speed-Downloading".
* Sets value "dl_browser"="IE" in key "HKCU\Software\Speed-Downloading".
* Accesses Registry key "HKCU\Software\Speed-Downloading".
[ Process/window information ]
* Creates a dialogbox with caption "".
* Buttons found in dialogbox: id3[166,201]"" id1[216,201]"" id2[273,201]"" .
* Button id 1 is changing text to "&Next >".
* Button id 3 is changing text to "".
* Button id 2 is changing text to "Cancel".
Removal
General information about removal of malicious software
Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.
| Utilizzo | Titolo | Commento |
|---|---|---|
| Blocco dei virus che infettano le condivisioni di rete | ||
| Cleaning of back-up folders on Windows Me and XP |