Win32/Wigon [Threat Name] go to Threat

Win32/Wigon.KU [Threat Variant Name]

Category trojan
Size 58369 B
Detection created May 19, 2009
Detection database version 4089
Aliases Trojan.Win32.Rabbit.jq (Kaspersky)
  TrojanDownloader:Win32/Cutwail.AI (Microsoft)
  Troj/Agent-KJH (Sophos)
Short description

The trojan tries to download several files from the Internet. The files are then executed.

Installation

When executed, the trojan copies itself into the following location:

  • %userprofile%\­%username%.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%username%" = "%userprofile%\­%username%.exe"
Other information

The trojan may create and run a new thread with its own program code within any running process.


The trojan contains a list of (9) URLs.


It tries to download several files from the addresses.


The HTTP protocol is used.


These are stored in the following locations:

  • %temp%\­BN%variable%.tmp

A string with variable content is used instead of %variable% .


The downloaded files contain encrypted executables.


After decryption, the trojan runs these files.


The trojan launches the following processes:

  • netsh.exe firewall set allowedprogram %filepath% ENABLE

The performed command creates an exception in the Windows Firewall.

Please enable Javascript to ensure correct displaying of this content and refresh this page.