Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:W32/Slugin.A
Date discovered:28/09/2009
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:864.739 Bytes
MD5 checksum:79c28ac645beb57c4aa9a5f9bf738581
IVDF version:7.01.06.44 - Monday, September 28, 2009

 General Method of propagation:
    Autorun feature
   • Local network
    Messenger
   • Peer to Peer


Aliases:
   •  Mcafee: W32/Wplugin
   •  Sophos: W32/Slugin-A
   •  Panda: W32/Wplugin.A
   •  Eset: Win32/Slugin.A
   •  Bitdefender: Win32.Worm.IM.H


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following locations:
   • %drive%\RECYCLER\%CLSID%\usbhelp.exe
   • %SYSDIR%\winhost32.exe



It deletes the initially executed copy of itself.



The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%drive%\RECYCLER\%CLSID%\Desktop.ini
%HOME%\Application Data\Wplugin.dll Further investigation pointed out that this file is malware, too. Detected as: W32/Slugin.drop

%PROGRAM FILES%\Yahoo!\Messenger\ymsgr_tray.exe.local
%WINDIR%\ws2help.dll Further investigation pointed out that this file is malware, too. Detected as: W32/Slugin.A

%PROGRAM FILES%\Yahoo!\Messenger\ws2help.dll Further investigation pointed out that this file is malware, too. Detected as: W32/Slugin.A

%WINDIR%\explorer.exe.local
%WINDIR%\Wplugin.dll Further investigation pointed out that this file is malware, too. Detected as: W32/Slugin.drop




It tries to executes the following file:

Filename:
   • %SYSDIR%\winhost32.exe %number% "%malware execution directory%\%executed file%"

 Registry The following registry keys are added in order to run the processes after reboot:

[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
   • "Microsoft Host Service"="winhost32.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft Host Service"="winhost32.exe"



The following registry key is added:

[HKCU\Software\Microsoft\OLE]
   • "Microsoft Host Service"="winhost32.exe"

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:   It searches for directories that contain one of the following substrings:
   • \Program Files\LimeWire\Shared
   • \Program Files\eDonkey2000\incoming
   • \Program Files\KAZAA
   • \Program Files\Morpheus\My Shared Folder\
   • \Program Files\BearShare\Shared\
   • \Program Files\ICQ\Shared Files\
   • \Program Files\Grokster\My Grokster\
   • \My Downloads\


 Messenger It is spreading via Messenger. The characteristics are described below:

 MSN Messenger


To:
All entries in the contact list.
The sent message looks like one of the following:

   • OMG remember the party a few weeks back? Look at the pictures from it! haha
     These pictures are halirous man..
     Hey check out these new pictures I took

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Remote execution:
It attempts to schedule a remote execution of the malware, on the newly infected machine. Therefore it uses the NetScheduleJobAdd function.

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: havfun.no-**********.biz
Nickname: [WinXP||USA|000|%number%

Server: elvis.doe**********.com
Port: 82
Channel: #main
Nickname: [WinXP||USA|000|%number%

 Backdoor The following port is opened:

winhost32.exe on a random TCP port in order to provide an FTP server.

 Stealing It tries to steal the following information:
– Windows Product ID

The following CD keys:
   • Software\Activision\Call of Duty 4\codkey; Software\Activision\Soldier
      of Fortune II - Double Helix; Software\Illusion Softworks\Hidden &
      Dangerous 2; Software\Techland\Chrome; Software\Westwood\NOX;
      Software\Westwood\Red Alert 2; Software\Westwood\Red Alert;
      Software\Westwood\Tiberian Sun; Software\Red Storm
      Entertainment\RAVENSHIELD; Software\Electronic Arts\EA Sports\Nascar
      Racing 2003\ergc; Software\Electronic Arts\EA Sports\Nascar Racing
      2002\ergc; Software\Electronic Arts\EA Sports\NHL 2003\ergc;
      Software\Electronic Arts\EA Sports\NHL 2002\ergc; Software\Electronic
      Arts\EA Sports\FIFA 2003\ergc; Software\Electronic Arts\EA Sports\FIFA
      2002\ergc; Software\Electronic Arts\EA GAMES\Shogun Total War -
      Warlord Edition\ergc; Software\Electronic Arts\EA GAMES\Need For Speed
      Underground\ergc; Software\Electronic Arts\EA GAMES\Need For Speed Hot
      Pursuit 2; Software\Electronic Arts\EA GAMES\Medal of Honor Allied
      Assault Spearhead\ergc; Software\Electronic Arts\EA GAMES\Medal of
      Honor Allied Assault Breakthrough\ergc; Software\Electronic Arts\EA
      GAMES\Medal of Honor Allied Assault\ergc; Software\Electronic Arts\EA
      GAMES\Global Operations\ergc; Software\Electronic Arts\EA
      GAMES\Generals\ergc; Software\Electronic Arts\EA GAMES\James Bond 007
      Nightfire\ergc; Software\Electronic Arts\EA GAMES\Command and Conquer
      Generals Zero Hour\ergc; Software\Electronic Arts\EA GAMES\Black and
      White\ergc; Software\Electronic Arts\EA GAMES\Battlefield
      Vietnam\ergc; Software\Electronic Arts\EA GAMES\Battlefield 1942
      Secret Weapons of WWII\ergc; Software\Electronic Arts\EA
      GAMES\Battlefield 1942 The Road to Rome\ergc; Software\Electronic
      Arts\EA GAMES\Battlefield 1942\ergc; Software\Electronic Arts\EA
      Games\Battlefield 2\ergc; Software\Electronic Arts\EA
      Distribution\Freedom Force\ergc; Software\Unreal Technology\Installed
      Apps\UT2004; Software\Unreal Technology\Installed Apps\UT2003;
      Software\Silver Style Entertainment\Soldiers Of Anarchy\Settings;
      Software\JoWooD\InstalledGames\IG2; Software\Valve\Half-Life\Settings;
      Software\Valve\Gunman\Settings; Software\Eugen Systems\The Gladiators;
      Software\Valve\CounterStrike\Settings;
      Software\BioWare\NWN\Neverwinter

The password from the following program:
   • Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Login

 Miscellaneous Furthermore it contains the following strings:
   • [cBot.cdkeys] %s CD Key: (%s).
   • [cBot.p2p] File Copied to Peer to Peer sharing.
   • [cBot.sock5] Server started on: %s:%d [USER]: %s [PASS]: %s
   • [cBot.main] Rebooting system.
   • [cBot.passwords] FireFox Started.
   • [cBot.cdkeys] Search completed.

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • Armadillo

Description inserted by Petre Galan on Tuesday, May 25, 2010
Description updated by Petre Galan on Tuesday, May 25, 2010

Back . . . .