Threat Database Backdoors Backdoor.Winnti

Backdoor.Winnti

By SpideyMan in Backdoors

The Winnti Trojan, first discovered in 2011, is a dangerous backdoor Trojan that can be used to carry out all kinds of attacks on the victim's computer. As of April of 2013, the Winnti Trojan remains highly active around the world. There have been numerous alarming reports of infections associated with Winnti, mostly centered in Southeastern Asia. In fact, in the Spring of 2013 the criminals responsible for Winnti received widespread media attention due to the pervasiveness of these attacks and in particular because of a large wave of attacks designed to steal gaming information such as online gaming account passwords and credit card information.

Backdoor.Winnti gathers its victim's confidential data and forwards it to a remote server for a malicious purpose. Backdoor.Winnti adds system files and modifies the registry so that it can run automatically each time you start your PC. If Backdoor.Winnti has infected your computer, you cannot run, update or uninstall certain software programs. Backdoor.Winnti also injects processes with malicious payloads and sets up drivers and services. Get rid of Backdoor.Winnti immediately after detection.

The Winnti Trojan can infect all editions of the Windows operating system stretching to Windows NT and Windows XP and as recently as Windows 7. The vast majority of Winnti attacks use the well known CVE-2010-2883 vulnerability, an exploit of a known weakness in Adobe Reader. This means that Winnti can often arrive on the victim's computer as an innocuous PDF file that, when opened, runs a malicious code that installs the Winnti backdoor itself. Because of this, the Winnti Trojan can be distributed through various social engineering means, including misleading email messages and social media spam messages. Once installed, Winnti will make changes to the Windows Registry that allow Winnti to run automatically at start-up, drop its own malicious files on the victim's hard drive and join up with a remote server in order to be given instructions from its command and control server.

Winnti is a powerful backdoor Trojan that can be used to carry out numerous tasks on the infected computer. Using Winnti, criminals can remotely create files on the victim's computer, inject malicious code into running memory processes, make changes to driver and service settings and disable the infected computer's security (such as the Windows firewall and anti-virus software). Winnti also allows criminals to control the infected computer remotely, create or delete user accounts and steal information from the victim's computer. This makes Winnti a highly flexible malware threat that can be used for a variety of attacks. While the most recent publicized Winnti attack involves stealing information related to online gaming, the Winnti Trojan can be just as effective in other kinds of scams such as stealing banking information or using infected computer to carry out DdoS attacks or deliver spam email.

Type: Backdoors

Backdoor.Winnti has typically the following processes in memory:

%System%\drivers\ sp1itter.sys
%System%\drivers\ acplec.sys
%System%\winmm.dll

Backdoor.Winnti creates the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acplec HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sp1itter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\"data" = "[RANDOM CHARACTERS]"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[SERVICE NAME]

SpyHunter Detects & Remove Backdoor.Winnti

File System Details

Backdoor.Winnti may create the following file(s):
# File Name MD5 Detections
1. %System%\drivers\ sp1itter.sys
2. %System%\drivers\ acplec.sys
3. %System%\winmm.dll
4. apphelp.dll 508f0af84d83e093bf6910dbab45421f 0

Registry Details

Backdoor.Winnti may create the following registry entry or registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acplec HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sp1itter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\"data" = "[RANDOM CHARACTERS]"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[SERVICE NAME]

Related Posts

Trending

Most Viewed

Loading...