Win32/Witkinat [Threat Name] go to Threat

Win32/Witkinat.A [Threat Variant Name]

Category trojan
Size 40576 B
Detection created Feb 03, 2010
Detection database version 4831
Aliases Trojan-Spy.Win32.Insain.kb (Kaspersky)
  TrojanDropper:Win32/Witkinat.A (Microsoft)
  Trojan.Gen (Symantec)
Short description

Win32/Witkinat.A is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan creates the following files:

  • %system%\­0037.dll (25600 B)

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "AppInit_DLLs" = "%system%\­0037.dll"
    • "CrntDLL" = "%system%\­0037.dll"
    • "LoadAppInit_DLLs" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­Internet Explorer\­Main]
    • "DEPOff" = 1

This causes the trojan to be executed on every application start.

Other information

The trojan launches the following processes:

  • iexplore.exe

The trojan hooks the following Windows APIs:

  • recv (ws2_32.dll)
  • send (ws2_32.dll)
  • closesocket (ws2_32.dll)

The trojan can redirect results of online search engines to web sites that contain adware.


The trojan contains a list of URLs. It tries to download several files from the addresses. The files are then executed.


The trojan may create the following files:

  • %system%\­wexe.exe
  • %system%\­wupd.dat
  • %system%\­work.dat

Please enable Javascript to ensure correct displaying of this content and refresh this page.