Subscribe
The Trojan launches the iexplore.exe process and injects its code into the process. This will open UDP port 1032 on the victim machine. The Trojan will listen for commands on this port.
The remote malicious user will be able to:
- Get a list of processes
- Launch/ stop active processes
- Get a list of dialup connections
- Get a list of keys pressed by the user
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Delete the registry key created by the Trojan:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon\Notify\winwil32] - Reboot the computer.
- Delete the following file:
%System%\winwil32.dll
- Delete the following registry key:
[HKLM\SOFTWARE\Microsoft\MSSMGR]
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This Trojan is a Windows PE EXE file. The file is 20,527 bytes in size.
InstallationWhen launching, the Trojan extracts the following file from its body:
- %System%\winwil32.dll — this file is 17 920 bytes in size.
The Trojan also creates the following registry key:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\"Asynchronous" = dword:00000001
"DllName" = "winwil32.dll"
"Impersonate" = dword:00000000
"Startup" = "EvtStartup"
"Shutdown" = "EvtShutdown"
This ensures that the Trojan library will be loaded by the Winlogon.exe system process each time Windows is booted on the victim machine.
The Trojan also creates the following registry key, and save its configuration to this key:
[HKLM\SOFTWARE\Microsoft\MSSMGR]
Once installation is complete, the Trojan deletes its executable file.
Payload
Hot Articles