This page shows details and results of our analysis on the malware W32/Wplugin

Download Current DAT

Threat Detail

  • Malware Type: Virus
  • Malware Sub-type: Win32
  • Protection Added: 2008-10-16

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Minimum Engine


File Length


Description Added


Description Modified


Malware Proliferation

On execution it drops a DLL file Wplugin.dll and creates its copy as winhost32.exe at the following locations:

%USERPROFILE%\Application Data\Wplugin.dll
%SYSTEMROOT%\Wplugin.dll (md5sum: 0EA8AE8DD149E74C734BEB666CE5DA93)

Wplugin.dll is detected as W32/Wplugin.dll. W32/Wplugin then launches itself as winhost32.exe and deletes its copy from the location it started initially.

To start its execution on system reboot it adds following entries into the registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Host Service =  "winhost32.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Host Service = "winhost32.exe"

It also adds/modifies following registry entries:

HKCU\Software\Microsoft\OLE\Microsoft Host Service = "winhost32.exe"
HKLM\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs = 0x3A98
HKLM\Software\Licenses\{K7C0DB872A3F777C0} = 66 A4 D5 52 06 0E 1F FF ... 
HKCR\CLSID\{2DF8DBC8-3025-BA3E-6E71-6840F5235369}\PersistentHandler\(Default) = "{98de59a0-d175-11cd-a7bd-00006b827d94}"

It creates a mutex cBot-usb01 so that only one instance of the malware runs.

It also tries to connect to IRC servers and on TCP port 82. At the time of analysis both the servers were down and domain resolves to

The symptoms of infection are file, registry, and network communication referenced in the characteristics section.

Viruses are self-replicating. They often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.