Win32/Witkinat [Threat Name] go to Threat

Win32/Witkinat.B [Threat Variant Name]

Category trojan
Size 38400 B
Detection created Apr 10, 2010
Detection database version 5015
Aliases Trojan-Spy.Win32.Insain.fa (Kaspersky)
  TrojanDropper:Win32/Witkinat.A (Microsoft)
  Trojan.Searcher.81 (Dr.Web)
Short description

Win32/Witkinat.B is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan creates the following files:

  • %system%\­0030.dll (25088 B)

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "AppInit_DLLs" = "%system%\­0030.dll"
    • "CrntDLL" = "%system%\­0030.dll"
    • "LoadAppInit_DLLs" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­Internet Explorer\­Main]
    • "DEPOff" = 1

This causes the trojan to be executed on every application start.

Other information

The trojan launches the following processes:

  • iexplore.exe

The trojan hooks the following Windows APIs:

  • recv (ws2_32.dll)
  • send (ws2_32.dll)
  • closesocket (ws2_32.dll)

The trojan can redirect results of online search engines to web sites that contain adware.


The trojan contains a list of URLs. It tries to download several files from the addresses. The files are then executed.


The trojan may create the following files:

  • %system%\­wexe.exe
  • %system%\­wupd.dat
  • %system%\­work.dat

Please enable Javascript to ensure correct displaying of this content and refresh this page.