Virus

W32/Winshow!tr

Analysis

  • Trojan is 32 bit with varied sizes, and exists as a .DLL file
  • Trojan acts as a proxy application, delivering web content to a compromised system
  • Trojan may periodically attempt to connect to the web address '00hq.com' as a means of updating itself
  • Trojan may have been introduced to the system from a malicious web page that creates a downloader Trojan, and this downloader retrieves the proxy Trojan
  • The registry is modified to auto run the Trojan files at Windows startup -

    HKEY_CLASSES_ROOT\CLSID\
    {6CC1C918-AE8B-4373-A5B4-28BA1851E39A}\InprocServer32\
    "(Default)" = undefinedDocument Folderundefined\undefinedUserundefined\Application Data\winshow\winshow.dll
    "ThreadingModel" = Apartment

    HKEY_CLASSES_ROOT\CLSID\
    {6CC1C91A-AE8B-4373-A5B4-28BA1851E39A}\InprocServer32\
    "(Default)" = undefinedDocument Folderundefined\undefinedUserundefined\Application Data\winlink\winlink.dll
    "ThreadingModel" = Apartment

  • The Trojan makes additional registry adjustments related to the operation of the Trojan -

    HKEY_CURRENT_USER\Software\WinShow\WinShow\
    "ConfigVersion" = 00, 00, 00, 00
    "Counter" = 00, 00, 00, 00
    "DictVersion" = 00, 00, 00, 00
    "LastDay" = 00, 00, 00, 00
    "LastHPDay" = 00, 00, 00, 00
    "LastUpdate" = 00, 00, 00, 00
    "ModuleVersion" = 00, 00, 00, 00
    "UpdateHour" = 00, 00, 00, 00

    HKEY_CURRENT_USER\Software\WinShow\WinShow\Save\URLSearchHooks\
    "{6CC1C918-AE8B-4373-A5B4-28BA1851E39A}" = [data]
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = [data]

    HKEY_CLASSES_ROOT\CLSID\
    {6CC1C918-AE8B-4373-A5B4-28BA1851E39A}\
    "(Default)" = ViewSource Class

    HKEY_CLASSES_ROOT\CLSID\
    {6CC1C918-AE8B-4373-A5B4-28BA1851E39A}\ProgID\
    "(Default)" = WinShow.ViewSource.1

    HKEY_CLASSES_ROOT\CLSID\
    {6CC1C918-AE8B-4373-A5B4-28BA1851E39A}\TypeLib\
    "(Default)" = {2C671705-77A7-4592-A484-545087ED9EE8}

    HKEY_CLASSES_ROOT\CLSID\
    {6CC1C918-AE8B-4373-A5B4-28BA1851E39A}\VersionIndependentProgID\
    "(Default)" = WinShow.ViewSource

    HKEY_CLASSES_ROOT\CLSID\
    {6CC1C91A-AE8B-4373-A5B4-28BA1851E39A}\
    "(Default)" = ViewSource Class

    HKEY_CLASSES_ROOT\CLSID\
    {6CC1C91A-AE8B-4373-A5B4-28BA1851E39A}\ProgID\
    "(Default)" = winlink.ViewSource.1

    HKEY_CLASSES_ROOT\CLSID\
    {6CC1C91A-AE8B-4373-A5B4-28BA1851E39A}\TypeLib\
    "(Default)" = {2C671705-77A7-4592-A484-545087ED9EE8}

    HKEY_CLASSES_ROOT\CLSID\
    {6CC1C91A-AE8B-4373-A5B4-28BA1851E39A}\VersionIndependentProgID\
    "(Default)" = winlink.ViewSource

    HKEY_CLASSES_ROOT\winlink.ViewSource\
    "(Default)" = ViewSource Class

    HKEY_CLASSES_ROOT\winlink.ViewSource\CLSID\
    "(Default)" = {6CC1C91A-AE8B-4373-A5B4-28BA1851E39A}

    HKEY_CLASSES_ROOT\winlink.ViewSource\CurVer\
    "(Default)" = winlink.ViewSource.1

    HKEY_CLASSES_ROOT\winlink.ViewSource.1\
    "(Default)" = ViewSource Class

    HKEY_CLASSES_ROOT\winlink.ViewSource.1\CLSID\
    "(Default)" = {6CC1C91A-AE8B-4373-A5B4-28BA1851E39A}

    HKEY_CLASSES_ROOT\WinShow.ViewSource\
    "(Default)" = ViewSource Class

    HKEY_CLASSES_ROOT\WinShow.ViewSource\CLSID\
    "(Default)" = {6CC1C918-AE8B-4373-A5B4-28BA1851E39A}

    HKEY_CLASSES_ROOT\WinShow.ViewSource\CurVer\
    "(Default)" = WinShow.ViewSource.1

    HKEY_CLASSES_ROOT\WinShow.ViewSource.1\
    "(Default)" = ViewSource Class

    HKEY_CLASSES_ROOT\WinShow.ViewSource.1\CLSID\
    "(Default)" = {6CC1C918-AE8B-4373-A5B4-28BA1851E39A}

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Explorer\Browser Helper Objects\
    {6CC1C918-AE8B-4373-A5B4-28BA1851E39A}\
    "(Default)" = WinShow module
    "(Default)" = winlink module

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Uninstall\WinShow\
    "DisplayName" = WinShow
    "UninstallString" = regsvr32 /u /s undefinedDocument Folderundefined\undefinedUserundefined\Application Data\winshow\winshow.dll

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Uninstall the Trojan using Add/Remove Programs, and select "Winshow" if listed