Win32/Dewnad [Threat Name] go to Threat

Win32/Dewnad.AO [Threat Variant Name]

Category worm
Size 56832 B
Detection created May 12, 2012
Detection database version 7139
Aliases Trojan-Dropper.Win32.Injector.fiyb (Kaspersky)
  Backdoor:Win32/IRCbot.FH (Microsoft)
  TR/Spy.Gen (Avira)
  Trojan.Agent.AWLH (BitDefender)
Short description

Win32/Dewnad.AO is a worm that spreads via removable media. The worm serves as a backdoor. It can be controlled remotely.


When executed, the worm copies itself into the following location:

  • %appdata%\­Microsoft\­wind.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Defender" = "%appdata%\­Microsoft\­wind.exe"

The following Registry entries are created:

    • "FileNameActual" = "%originalmalwarefilepath%"
    • "FileNameActualDate" = "%variable%"
    • "FirstInstall" = "1"

A string with variable content is used instead of %variable% .

After the installation is complete, the worm deletes the original executable file.

Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • svcpig.jpg

The following file is dropped in the same folder:

  • autorun.inf

The AUTORUN.INF file contains the path to the malware executable.

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Information stealing

Win32/Dewnad.AO is a worm that steals sensitive information.

The worm collects the following information:

  • user name
  • operating system version
  • information about the operating system and system settings

The worm attempts to send gathered information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm contains an URL address. The TCP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • terminate running processes
  • perform DoS/DDoS attacks
  • update itself to a newer version
  • uninstall itself

Please enable Javascript to ensure correct displaying of this content and refresh this page.