Home / malware Adware:Win32/Wintrim
First posted on 04 January 2013.
Source: MicrosoftAliases :
Adware:Win32/Wintrim is also known as ADSPY/Navi.A (Avira), Win32/Adware.BHO.NEG application (ESET), Trojan.Win32.BHO (Ikarus), not-a-virus:AdWare.Win32.Navi (Kaspersky), Adware.Slagent (Symantec), ADW_SLAGENT (Trend Micro).
Explanation :
Installation
Adware:Win32/Wintrim may install the following files in your computer:
- %windir%\wmvploc.dll
- %windir%\svrhost.dll
- <system folder>\wmvploc.dll
- <system folder>\svrhost.dll
- <system folder>\host.db
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and W8 it is "C:\Windows\System32".
It registers itself as a Browser Helper Object BHO by creating the following registry entries:
- HKLM\SOFTWARE\Classes\Svrhost.PopBlocker
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\<GUID>
where <GUID> may vary.
Behavior
Displays ads
Adware:Win32/Wintrim displays ads. To check what ads to display, it connects to a remote server, which tells it what ads to display. In the wild, it has been known to download ads from "www.97tl.cn".
If you open Internet Explorer, it may open to the following webpage:
Analysis by Jim Wang
Last update 04 January 2013