Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Wintrim

Overview

Threat Risk MEDIUM MEDIUM
Destructivity Unknown UNKNOWN
Payload
Detection files published 01 Aug 2006 03:00:00
Description created 10 Dec 2009 02:14:00
Description updated 10 Dec 2009 02:14:00
Malware type TROJAN
Alias TrojanDownloader.Win32.Wintrim.s
Downloader-DA.b
TrojanDownloader:Win32/Wintrim
W32/Downloader-Persis
Mal/SkimTrim-A
Spreading mechanism OTHER
Summary

W32/Wintrim

Spreading

W32/Wintrim is bundled with an application called Mailskinner.

Payload Details

After execution of the malware there is a installation screen shown up just like a legitimate behavior. Then it starts creating .tmp files in %WINDOWS%\TEMP, registry entries in "HKLM\Software\" to follow up files and downloading content from URL. It also creates mutants in certain variants.

Analysis

[ DetectionInfo ] *Filename:C:\Documentsand Settings \Desktop\Sample\Current \1727e1f703e77cf2f00a3c96bc3f93d2.exe. * Sandbox name: . * Signature name: NOT_SCANNED. * Compressed: NO. * TLS hooks: NO. * Executable type: Application. * Executable file structure: OK. * Filetype: PE_I386. [ General information ] * File length: 569100 bytes. * MD5 hash: 1727e1f703e77cf2f00a3c96bc3f93d2. [ Changes to filesystem ] * Creates directory C:\WINDOWS\TEMP\. * Creates file C:\WINDOWS\TEMP\nsf1743.tmp. * Deletes file C:\WINDOWS\TEMP\nsf1743.tmp. * Creates file C:\WINDOWS\TEMP\nsz4817.tmp. * Overwrites file C:\WINDOWS\TEMP\nsz4817.tmp. * Creates file C:\WINDOWS\TEMP\nsh9867.tmp. * Deletes file C:\WINDOWS\TEMP\nsh9867.tmp. * Creates directory C:\WINDOWS\TEMP\nsh9867.tmp. * Creates file C:\WINDOWS\TEMP\nsh9867.tmp\modern-header.bmp. * Overwrites file C:\WINDOWS\TEMP\nsh9867.tmp\modern-wizard.bmp. * Creates file C:\WINDOWS\TEMP\nsh9867.tmp\nsDialogs.dll. [ Changes to registry ] * Accesses Registry key "HKLM\Software\[removed].ORG\Free Download Manager". * Accesses Registry key "HKLM\Software\Microsoft\Windows\CurrentVersion". * Creates key "HKLM\Software\Speed-Downloading". * Creates key "HKCU\Software\Speed-Downloading". * Deletes value "nums" in key "HKLM\Software\Speed-Downloading". * Deletes value "nums" in key "HKCU\Software\Speed-Downloading". * Deletes value "bnrid" in key "HKLM\Software\Speed-Downloading". * Deletes value "bnrid" in key "HKCU\Software\Speed-Downloading". * Sets value "grpid"="1591" in key "HKLM\Software\Speed-Downloading". * Sets value "grpid"="1591" in key "HKCU\Software\Speed-Downloading". * Sets value "installdt"="20090708" in key "HKLM\Software\Speed-Downloading". * Sets value "installdt"="20090708" in key "HKCU\Software\Speed-Downloading". *Setsvalue"uai"=http://[removed] in key "HKCU\Software\Speed-Downloading". * Deletes value "addinfo" in key "HKLM\Software\Speed-Downloading". * Deletes value "addinfo" in key "HKCU\Software\Speed-Downloading". * Deletes value NULL in key "HKLM\Software\Speed-Downloading". * Deletes value NULL in key "HKCU\Software\Speed-Downloading". * Deletes value "guid" in key "HKLM\Software\Speed-Downloading". * Deletes value "guid" in key "HKCU\Software\Speed-Downloading". * Sets value "dl_lg"="EN" in key "HKLM\Software\Speed-Downloading". * Sets value "dl_lg"="EN" in key "HKCU\Software\Speed-Downloading". * Deletes value "dl_theme" in key "HKLM\Software\Speed-Downloading". * Deletes value "dl_theme" in key "HKCU\Software\Speed-Downloading". * Sets value "dl_browser"="IE" in key "HKLM\Software\Speed-Downloading". * Sets value "dl_browser"="IE" in key "HKCU\Software\Speed-Downloading". * Accesses Registry key "HKCU\Software\Speed-Downloading". [ Process/window information ] * Creates a dialogbox with caption "". * Buttons found in dialogbox: id3[166,201]"" id1[216,201]"" id2[273,201]"" . * Button id 1 is changing text to "&Next >". * Button id 3 is changing text to "". * Button id 2 is changing text to "Cancel".  

Removal

n/a


Last Updated: 12 Nov 2015 11:06:10