Win32/Wigon [Threat Name] go to Threat

Win32/Wigon.KQ [Threat Variant Name]

Category trojan
Size 16384 B
Detection created May 06, 2009
Detection database version 10065
Aliases Backdoor.Win32.Protector.a (Kaspersky)
  Backdoor.Trojan (Symantec)
  TrojanDownloader:Win32/Cutwail.gen!C (Microsoft)
Short description

The trojan tries to download several files from the Internet. The files are then executed.

Installation

When executed the trojan copies itself in the following locations:

  • %system%\­reader_s.exe
  • %userprofile%\­reader_s.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "reader_s" = "%system%\­reader_s.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "reader_s" = "%userprofile%\­reader_s.exe"

The trojan creates and runs a new thread with its own program code within the following processes:

  • svchost.exe
Other information

The trojan contains a list of URLs.


It tries to download several files from the addresses.


These are stored in the following locations:

  • %temp%\­BN%variable%.tmp

A string with variable content is used instead of %variable% .


The downloaded files contain encrypted executables.


After decryption, the trojan runs these files.


The trojan may create and run a new thread with its own program code within any running process.

Please enable Javascript to ensure correct displaying of this content and refresh this page.