Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Witkinat.B

Aliases:Trojan-Spy.Win32.Insain.fa (Kaspersky), TrojanDropper:Win32/Witkinat.A (Microsoft), Trojan.Searcher.81 (Dr.Web) 
Type of infiltration:Trojan  
Size:38400 B 
Affected platforms:Microsoft Windows 
Signature database version:5015 (20100410) 

Short description

Win32/Witkinat.B is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan creates the following files:
  • %system%030.dll (25088 B)
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Windows]
    "AppInit_DLLs" = "%system%030.dll"
    "CrntDLL" = "%system%030.dll"
    "LoadAppInit_DLLs" = 1
  • [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftInternet Explorer
    Main]
    "DEPOff" = 1
This causes the trojan to be executed on every application start.

Other information

The trojan launches the following processes:
  • iexplore.exe
The trojan hooks the following Windows APIs:
  • recv (ws2_32.dll)
  • send (ws2_32.dll)
  • closesocket (ws2_32.dll)
The trojan can redirect results of online search engines to web sites that contain adware.

The trojan contains a list of URLs. It tries to download several files from the addresses. The files are then executed.

The trojan may create the following files:
  • %system%wexe.exe
  • %system%wupd.dat
  • %system%work.dat