Win32/TrojanDownloader.Wigon [Threat Name] go to Threat

Win32/TrojanDownloader.Wigon.BS [Threat Variant Name]

Category trojan
Size 10320 B
Detection created Feb 11, 2009
Detection database version 3846
Aliases Trojan-Downloader.Win32.Agent.bhhw (Kaspersky)
  Trojan.Pandex (Symantec)
  Generic.Dropper.ez (McAfee)
Short description

The trojan tries to download several files from the Internet. The files are then executed.


When executed, the trojan copies itself into the following location:

  • %userprofile%\­%username%.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%username%" = "%userprofile%\­%username%.exe /i"
Other information

The trojan contains a list of (8) URLs.

It tries to download several files from the addresses.

The HTTP protocol is used.

These are stored in the following locations:

  • %temp%\­bn%variable%.tmp

A string with variable content is used instead of %variable% .

The downloaded files contain encrypted executables.

After decryption, the trojan runs these files.

The trojan creates and runs a new thread with its own program code within the following processes:

  • %system%\­svchost.exe

The trojan launches the following processes:

  • netsh firewall set allowedprogram "%userprofile%\­%username%.exe" ENABLE

The performed command creates an exception in the Windows Firewall.

Please enable Javascript to ensure correct displaying of this content and refresh this page.