View my documents ()
 Home > Support > Global Security Advisor 

Virus Detail

Win32.Wintrim.U

Date Published:
6 Sep 2004

Last Updated:
15 Nov 2004

Threat Assessment

Overall Risk:   Low
Wild:  Medium
Destructiveness:  Low
Pervasiveness:  None

Characteristics

Type : Trojan

Category : Win32

Also known as:  Dialer-185 (McAfee), Win32/Trilon.B (Eset), Win32/TrojanDownloader.Wintrim.AU (Eset), Win32/TrojanDownloader.Wintrim.BB (Eset), W32/Wintrim.H@dl (F-Secure), Trojan.Win32.Dialer.db (Kaspersky), TrojanDownloader.Win32.Wintrim.bb (Kaspersky), TrojanDownloader.Win32.Wintrim.w (Kaspersky), Win32/Wintrim.BB.Trojan, W32/Wintrim.F (F-Secure), Win32.Wintrim.V, Win32/WinTrim.V.DLL.Trojan, Win32.Wintrim.W, Win32.Wintrim.X, Win32.Wintrim.Y, Win32.Wintrim.Z, Win32/Wintrim.Z.DLL.Trojan

Immediate Protection Info

 
SignatureProductRemoval Instructions
23.66.27
eTrust Antivirus v7/8* (InoculateIT Engine)
11.x/8546
eTrust Antivirus v7/8* (Vet Engine)
6.1x/5695
eTrust EZ Antivirus 6.1x
6.2x/8546
eTrust EZ Antivirus 6.2x
10.5x/5695
Vet Anti-Virus 10.5x
10.6x/8546
Vet Anti-Virus 10.6x
 
 
Description
Method of Infection
Payload
 

Description

The group of Wintrim variants described here are trojans that try to circumvent security settings in Internet Explorer by adding a 'Trusted Publisher' to the list of certificates that Internet Explorer will always accept. Wintrim.U has been distributed as a UPX-packed DLL that is 9,728 bytes in size.

Back to top

Method of Infection

The trojan creates the following registry key to ensure that its DLL is loaded by explorer.exe:


HKCR\CLSID\{469C7080-8EC8-43A6-AD97-45848113743C}\InprocServer32\(Default) = <location of original execution>\ThreadingModel = "Apartment"


Back to top

Payload

Modifies System Settings

The main purpose of Wintrim.U (and similar variants of this family, including Wintrim.V, Wintrim.W, Wintrim.X, Wintrim.Y and Wintrim.Z) is to circumvent Internet Explorer security settings. 


The trojan performs a registry export, using regedit to import the contents of the file %Windows%\tmlpcert2005, which adds a certificate to Internet Explorer's list of Trusted Publishers. Effectively, this means that content supplied from the publisher specified on the certificate will be 'trusted' and not subjected to the usual security checks and measures that would otherwise occur if the content were 'untrusted'. The default security setting for trusted content in Internet Explorer is 'Low'. The changing of this setting will result in most content that is signed by the organization 'electronic-group' being downloaded and run without the user being prompted.



Analysis by Matthew McCormack


Back to top

Buy

Buy CA Anti-Virus

Large Enterprise
Small and Medium Business
Home and Home Office

CA Global Security Advisor

Current threat condition: Low
Low
Documents and Tools
Find Threats
Viruses Spyware
Vulnerabilities All

Security Resources

Analyst Reports

Gartner Magic Quadrant for Web Access Management
More

Events

RSA Conference 2010
CA World 2010
More

Insights

On-Demand Webcasts

Operate Lean with CA Compliance Manager for z/OS
Analyst Webcast: Privileged User Access- Gaining Powerful Control of Powerful Users
More

Press

CA Enables Growth of Open Source for the Enterprise
CA Helps Secure Louisiana Rural Health Information Exchange

News

How to Improve Cloud Security in Your Enterprise
Cloud Security: Ten Questions to Ask Before You Jump In
More
 
 
Page Tools
ShareShare