WINSHOST.EXE
WINSHOST.EXE is part of Bagle Trojan for the Windows platform. The Trojan copies itself into the Windows system folder as winshost.exe. In order to run automatically when Windows starts up creates the following registry entries:
The Trojan also drops a dll file wiashost.exe and attempts to inject it into the process space of the Windows Explorer. If the dll is successfully loaded, it attempts to download and launch an executable from a URL list of more than 100 entries. This Trojan downloader is usually installed by another malware. This malware drops the following files into the Windows system folder: WINSHOST.EXE; WIDSHOST.EXE. After dropping these two files, the malware proceeds to execute the WIDSHOST.EXE Trojan file. Upon execution, this Trojan creates a thread that terminates antivirus and firewall-related processes. It then creates another thread that downloads and executes another malware on the system.
It creates the following registry entries to ensure it automatically executes during every Windows startup (Autostart Techniques):
-
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \
CurrentVersion \ Run
WINSHOST.EXE = "%System% \ WINSHOST.EXE"
-
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \
CurrentVersion \ Run
WINSHOST.EXE = "%System% \ WINSHOST.EXE"
Note: %System% is the Windows system folder, which is usually C: \ Windows \ System on Windows 95, 98, and ME, C: \ WINNT \ System32 on Windows NT and 2000, or C: \ Windows \ System32 on Windows XP.
Also known as Troj / Bagledl-D, W32 / Bagle-AU or W32 / Bagle-AV.
|
Post your comment