Installation
Trojan:Win32/Wintrim may arrive on your PC bundled with the Mailskinner application. It uses rootkit techniques to make system changes that you cannot see. It usually arrives as a .exe file with a random file name.
It adds a registry entry in the following subkeys so that it runs each time you start your PC:
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
Variants of Trojan:Win32/Wintrim may also create the following registry subkeys as part of their installation processes:
- HKLM\Software\LanConfig
- HKLM\Software\livesvc\navtime
- HKLM\Software\exts
- HKLM\Software\mc
The trojan may drop a .dll file into the <system folder>, for example:
- MCv2DLL.dll
- msclock32.dll
- msegcompid.dll
- msplock32.dll
- mstmpreg32.dll
- mswbm32.dll
Payload
Displays pop-up advertisements
Trojan:Win32/Wintrim variants usually download a .xml file, which contains keywords and URLs related to which pop-up advertisements they display. The .xml file also includes a block list, which may be used to prevent legitimate web sites and search results from being displayed.
Wintrim then hijacks ads displayed by certain browsers and applications and replaces them with its own advertisements based on the received .xml file. The affected applications and browsers include:
- FIREFOX.EXE
- ICQ.EXE
- IEXPLORE.EXE
- MOZILLA.EXE
- MSIMN.EXE
- MSNMSGR.EXE
- OUTLOOK.EXE
- SKYPE.EXE
- THUNDERBIRD.EXE
- WAOL.EXE
The displayed pop-up advertisements are based on the keywords you enter in these browsers, and may be pornographic in nature.
To stop its advertisements from being blocked, it adds a registry entry in the following subkeys to register itself as a trusted publisher:
In subkey: HKLM\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A
Sets value: "electronic-group"
With data: "goicfboogidikkejccmclpieicihhlpo jimddp"
Monitors your activities
Wintrim hooks the following APIs to gain information about your actions:
- NTEnumerateKey
- NTEnumerateValueKey
- NTQueryDirectoryFile
- NTQuerySystemInformation
It also uses the rasmon.exe application to monitor your remote access activities.
Steals sensitive data
Trojan:Win32/Wintrim sends the following information about your PC to a remote server:
- Version of Internet Explorer
- Version of Windows
- Your geographic locale
- Navipromo install date
- Navipromo running mode
- Name of antivirus or antimalware software installed
- URLs located in your browser's Favorites list
- URLs located in your browser's history
Disables applications
Trojan:Win32/Wintrim disables Norton Ghost, a backup utility.
Downloads and installs software
It connects to the website security-updater.com to download updates for itself.
It may also ask you to download the program NewPromoRemover to remote its advertising capabilities.
Additional information
It creates the following mutexes:
- eshmemg_mutex
- mymutsglwork
This could be an infection marker to prevent more than one copy of the threat running on your PC.
Analysis by Jaime Wong and Geoff McDonald