Home / malwarePDF  

Adware:Win32/Wingo


First posted on 06 September 2011.
Source: SecurityHome

Aliases :

There are no other names known for Adware:Win32/Wingo.

Explanation :

Adware:Win32/Wingo is a program that may install a Browser Helper Object (BHO) that may display pop-up advertisements and download updates of itself.


Top

Adware:Win32/Wingo is a program that may install a Browser Helper Object (BHO) that may display pop-up advertisements and download updates of itself.



Installation

When executed, the Adware:Win32/Wingo installer file drops the following files:

  • %Temp%\winggou.exe
  • %Temp%\winggo.bat
  • %ProgramFiles%\winggo\sm00101.dat
  • %ProgramFiles%\winggo\smlist.dat
  • %ProgramFiles%\winggo\winggo.dll
  • %ProgramFiles%\winggo\winggom.exe
  • %ProgramFiles%\winggo\winggoSetup.exe
  • %ProgramFiles%\winggo\winggou.exe


It then creates the following registry entry so that it automatically executes every time Windows starts:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "WingGo"
With data: "%ProgramFiles%\winggo\winggou.exe UPDATE"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "winggo"
With data: "%ProgramFiles%\winggo\winggoSetup.exe"

Adware:Win32/Wingo also creates the following registry entries as part of its installation routine:

In subkey: HKCU\Environment
Sets value: "OSVersion"
With data: "<Windows OS version>"

In subkey: HKCU\Software
Sets value: "WC"
With data: "dword:00000001"

In subkey: HKCU\Software\Microsoft
Sets value: "WC"
With data: "dword:00000001"

In subkey: HKLM\SOFTWARE\winggo
Sets value: "DefaultSearchIdx"
With data: "dword:00000006"
Sets value: "DefaultSearchIdx"
With data: "dword:00000006"
Sets value: "PotalSearch"
With data: "dword:00000000"
Sets value: "ShoppingSearch"
With data: "dword:00000001"
Sets value: "RSS"
With data: "dword:00000001"
Sets value: "BoldKeyword"
With data: "dword:00000001"
Sets value: "Translate"
With data: "dword:00000001"
Sets value: "FreeMusic"
With data: "dword:00000001"
Sets value: "ExtendSearch2"
With data: "dword:00000001"
Sets value: "Capture"
With data: "dword:00000000"
Sets value: "LastExecuteDate"
With data: "<current date>"
Sets value: "PCode"
With data: "00101"
Sets value: "PFile"
With data: "sm00101.dat"
Sets value: "sm00101.dat"
With data: "<current date>"
Sets value: "winggo.dll"
With data: "<current date>"
Sets value: "winggou.exe"
With data: "<current date>"
Sets value: "winggou.exe"
With data: "<current date>"
Sets value: "47049616u"
With data: "http%3A%2F%2Fdau%2Enet%2F"
Sets value: "winggom.exe"
With data: "<current date>"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WingGo
Sets value: "DisplayName"
With data: "WingGo"
Sets value: "InstallLocation"
With data: "%ProgramFiles%\winggo\"
Sets value: "DisplayIcon"
With data: "%ProgramFiles%\winggo\winggou.exe"
Sets value: "UninstallString"
With data: "%ProgramFiles%\winggo\winggou.exe remove"

Execution

Installs toolbar

It then registers the dropped file "winggo.dll" as a Browser Helper Object (BHO) by creating the following registry entries:

In subkey: HKCR\CLSID\{002B9765-AB24-47E6-8DB6-6A1A0CE11BC9}
Sets value: "@"
With data: "winggo"

In subkey: HKCR\CLSID\{002B9765-AB24-47E6-8DB6-6A1A0CE11BC9}\InprocServer32
Sets value: "@"
With data: "%ProgramFiles%\winggo\winggo.dll"
Sets value: "ThreadingModel"
With data: "Apartment"

In subkey: HKCR\CLSID\{003B9765-AB24-47E6-8DB6-6A1A0CE11BC9}
Sets value: "@"
With data: "winggo"

In subkey: HKCR\CLSID\{003B9765-AB24-47E6-8DB6-6A1A0CE11BC9}\InprocServer32
Sets value: "@"
With data: "%ProgramFiles%\winggo\winggo.dll"
Sets value: "ThreadingModel"
With data: "Apartment"

In subkey: HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar
Sets value: "{003B9765-AB24-47E6-8DB6-6A1A0CE11BC9}"
With data: ""

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{002B9765-AB24-47E6-8DB6-6A1A0CE11BC9}
Sets value: "NoExplorer"
With data: "dword:00000001"

The BHO may enable the display of pop-up advertisements and may also redirect web searches. It may be installed as a toolbar.

The toolbar may look similar to the following:



Connects to servers

Adware:Win32/Wingo can update itself by downloading the following files and replacing the current component files with the updated ones:

  • s.winggo.co.kr/SM3/smlist.dat
  • s.winggo.co.kr/SM3/sm00101.dat
  • s.winggo.co.kr/SM3/winggo.dll
  • s.winggo.co.kr/SM3/winggou.exe
  • s.winggo.co.kr/SM3/winggoSetup.exe
  • s.winggo.co.kr/SM3/winggom.exe


It also connects to the server to record its presence in the affected computer. It sends the MAC address of the affected computer as part of the record.



Analysis by Ric Robielos

Last update 06 September 2011

 

TOP

Malware :