MAC-NETHow toNetwork SecurityVirus ProtectionSpyware ProtectionDownloadReferenceContact
 

Do more with FirefoxNEW

Hijacked Browser Analysis

4-counter.com 3721

C2.lop browser hijacker

CWShredder

Edmond.exe

Intercom.exe Spyware

MWSOEMON.EXE - MyWebSearch

SearchPage CC Spyware

Spin4Dough Spyware

Sqwire.com home page hijack
Home » Spyware Protection » Hijacked Browser Analysis » Re: HijackThisLog Analysis - Luxin » 

WINGO.EXE

When executed (as an Or bawindo.EXE or Wingo.EXE), the worm installs itself to the victim machine with the Windows system folder as WINGO.EXE (C: \ WINNT \ SYSTEM32 \ WINGO.EXE). If the worm is received as a CPL file, when this is executed it serves to drop and execute the worm. The CPL dropper copies itself as CJECTOR.EXE within the Windows directory. (C: \ WINNT \ CJECTOR.EXE) The following Registry key is added to hook system startup:

  • HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \
    Run "wingo" = C: \ WINNT \ SYSTEM32 \ WINGO.EXE
    The following Registry key is also added to store data (within a "TimeKey" key):
  • HKEY_CURRENT_USER \ Software \ Params
    Additionally, the virus may make multiple copies of itself in the Windows system directory, appending the string "open" to the filename.
    C: \ WINNT \ SYSTEM32 \ WINGO.EXEOPEN
    C: \ WINNT \ SYSTEM32 \ WINGO.EXEOPENOPEN 

A mutex is created to ensure only one instance of the worm is running at a time.  The mutex names is used in an attempt to stop particular variants of W32 / Netsky running on the infected machine.

Also known as Bagle.bb; Bagle.bc; Bagle.bdIt or W32.Bealgle.AV.


commentPost your comment 
Mail this pageMail this page

MAC-NET Secures IT | internet toolkit

© 2004-2008. All Rights Reserved.