Win32/Slugin [Threat Name] go to Threat

Win32/Slugin.A [Threat Variant Name]

Category virus
Size 110592 B
Detection created Mar 20, 2010
Detection database version 10157
Aliases Virus:Win32/Slugin.A (Microsoft)
  W32.Slugin.A!inf (Symantec)
  Win32/Slugin.A.virus (AVG)
  W32/Wplugin.virus (McAfee)
Short description

Win32/Slugin.A is a file infector.


When executed, the virus creates the following files:

  • %appdata%\­wplugin.dll (110592 B, Win32/TrojanProxy.Agent.NES)

The virus may create the following files:

  • %appdata%\­Microsoft\­Explorer\­Win32Cfg.cfg
  • %messengerfilepath%.exe.local (12 B)
  • %windir%\­explorer.exe.local (12 B)

The virus creates copies of the following files (source, destination):

  • %system%\­w2help.dll, %windir%\­w2help.dll
  • %system%\­w2help.dll, %messengerfolder%\­w2help.dll
  • %appdata%\­wplugin.dll, %windir%\­wplugin.dll
  • %appdata%\­wplugin.dll, %messengerfolder%\­wplugin.dll

It infects the following files:

  • %windir%\­w2help.dll
  • %messengerfolder%\­w2help.dll

Malicious code is executed every time an infected DLL is loaded.

File infection

The virus searches fixed drives for executable files to infect.

It also infects files stored on removable and network drives.

The virus searches for files with the following file extensions:

  • .exe

It avoids files which contain any of the following strings in their path:

  • %windir%
  • %programfiles%

Several other criteria are applied when choosing a file to infect.

Executables are infected by appending the code of the virus to the end of the original file.

The size of the inserted code is 94691 B .

The host file is modified in a way that causes the virus to be executed prior to running the original code.

Information stealing

The virus collects the following information:

  • network adapter information
  • user name
  • computer IP address
  • the IP address of the router in the local network

The virus attempts to send gathered information to a remote machine.

The virus sends the information via e-mail.

The virus contains a list of (4) addresses.

Other information

The virus contains a backdoor. It can be controlled remotely.

The virus opens TCP port 10100 .

The virus can download and execute a file from the Internet.

Please enable Javascript to ensure correct displaying of this content and refresh this page.