W32/Wplugin

This page shows details and results of our analysis on the malware W32/Wplugin

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

5407 (2008-10-16)

Updated DAT

6749 (2012-06-21)

Minimum Engine

5400.1158

File Length

varies

Description Added

2008-10-16

Description Modified

2008-10-31

Malware Proliferation

Characteristics

On execution it drops a DLL file Wplugin.dll and creates its copy as winhost32.exe at the following locations:

%USERPROFILE%\Application Data\Wplugin.dll
%SYSTEMROOT%\Wplugin.dll (md5sum: 0EA8AE8DD149E74C734BEB666CE5DA93)
%SYSTEM%\winhost32.exe

Wplugin.dll is detected as W32/Wplugin.dll. W32/Wplugin then launches itself as winhost32.exe and deletes its copy from the location it started initially.

To start its execution on system reboot it adds following entries into the registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Host Service =  "winhost32.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Host Service = "winhost32.exe"

It also adds/modifies following registry entries:

HKCU\Software\Microsoft\OLE\Microsoft Host Service = "winhost32.exe"
HKLM\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs = 0x3A98
HKLM\Software\Licenses\{K7C0DB872A3F777C0} = 66 A4 D5 52 06 0E 1F FF ... 
HKCR\CLSID\{2DF8DBC8-3025-BA3E-6E71-6840F5235369}\PersistentHandler\(Default) = "{98de59a0-d175-11cd-a7bd-00006b827d94}"

It creates a mutex cBot-usb01 so that only one instance of the malware runs.

It also tries to connect to IRC servers hxxxxn.nxxxp.biz and exxxs.doxxxxxxxxt.com on TCP port 82. At the time of analysis both the servers were down and exxxs.doxxxxxxxxt.com domain resolves to 76.xxx.xxx.xxx.

Symptoms

The symptoms of infection are file, registry, and network communication referenced in the characteristics section.

Method of Infection

Viruses are self-replicating. They often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants