Backdoor.Winnti

Backdoor.Winnti Description

The Winnti Trojan, first discovered in 2011, is a dangerous backdoor Trojan that can be used to carry out all kinds of attacks on the victim's computer. As of April of 2013, the Winnti Trojan remains highly active around the world. There have been numerous alarming reports of infections associated with Winnti, mostly centered in Southeastern Asia. In fact, in the Spring of 2013 the criminals responsible for Winnti received widespread media attention due to the pervasiveness of these attacks and in particular because of a large wave of attacks designed to steal gaming information such as online gaming account passwords and credit card information.

Backdoor.Winnti gathers its victim's confidential data and forwards it to a remote server for a malicious purpose. Backdoor.Winnti adds system files and modifies the registry so that it can run automatically each time you start your PC. If Backdoor.Winnti has infected your computer, you cannot run, update or uninstall certain software programs. Backdoor.Winnti also injects processes with malicious payloads and sets up drivers and services. Get rid of Backdoor.Winnti immediately after detection.

The Winnti Trojan can infect all editions of the Windows operating system stretching to Windows NT and Windows XP and as recently as Windows 7. The vast majority of Winnti attacks use the well known CVE-2010-2883 vulnerability, an exploit of a known weakness in Adobe Reader. This means that Winnti can often arrive on the victim's computer as an innocuous PDF file that, when opened, runs a malicious code that installs the Winnti backdoor itself. Because of this, the Winnti Trojan can be distributed through various social engineering means, including misleading email messages and social media spam messages. Once installed, Winnti will make changes to the Windows Registry that allow Winnti to run automatically at start-up, drop its own malicious files on the victim's hard drive and join up with a remote server in order to be given instructions from its command and control server.

Winnti is a powerful backdoor Trojan that can be used to carry out numerous tasks on the infected computer. Using Winnti, criminals can remotely create files on the victim's computer, inject malicious code into running memory processes, make changes to driver and service settings and disable the infected computer's security (such as the Windows firewall and anti-virus software). Winnti also allows criminals to control the infected computer remotely, create or delete user accounts and steal information from the victim's computer. This makes Winnti a highly flexible malware threat that can be used for a variety of attacks. While the most recent publicized Winnti attack involves stealing information related to online gaming, the Winnti Trojan can be just as effective in other kinds of scams such as stealing banking information or using infected computer to carry out DdoS attacks or deliver spam email.

Type: Backdoors

Backdoor.Winnti has typically the following processes in memory:

%System%\drivers\ sp1itter.sys
%System%\drivers\ acplec.sys
%System%\winmm.dll

Backdoor.Winnti creates the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acplec HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sp1itter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\"data" = "[RANDOM CHARACTERS]"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[SERVICE NAME]

Do You Suspect Your PC May Be Infected with Backdoor.Winnti & Other Threats? Scan Your PC with SpyHunter

SpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like Backdoor.Winnti as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Note: SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. Free Remover allows you to run a one-off scan and receive, subject to a 48-hour waiting period, one remediation and removal. Free Remover subject to promotional details and Special Promotion Terms. To understand our policies, please also review our EULA, Privacy Policy and Threat Assessment Criteria. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.
If you still can't install SpyHunter? View other possible causes of installation issues.

Technical Information

File System Details

Backdoor.Winnti creates the following file(s):
# File Name Size MD5
1 apphelp.dll 112,592 508f0af84d83e093bf6910dbab45421f
2 %System%\drivers\ sp1itter.sys
3 %System%\drivers\ acplec.sys
4 %System%\winmm.dll

Registry Details

Backdoor.Winnti creates the following registry entry or registry entries:
HKEY..\..\..\..{RegistryKeys}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acplec HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sp1itter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\"data" = "[RANDOM CHARACTERS]"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[SERVICE NAME]

Related Posts

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their PC with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your PC. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.