Global sites
SolutionsProductsPurchaseDownloadPartnersSupportCompanyThreat Center
Threat CenterEset Online scannerESET SysInspectorThreatSense® ThreatSense.Net® Security TipsThreat LevelThreat Dictionary
Threat Encyclopaedia
Update infoVirus Radar on your Website
Antivirus Software NOD32 > Threat Center > Threat Encyclopaedia > T

Threat Encyclopaedia

Print this pageSend

Win32/TrojanDownloader.Wigon.BL

Aliases:Trojan-Downloader.Win32.Small.jcd (Kaspersky), Trojan Horse (Symantec), Generic Dropper.ez (McAfee) 
Type of infiltration:Trojan  
Size:10238 B 
Affected platforms:Microsoft Windows 
Signature database version:3762 (20090113) 

Short description

The trojan tries to download several files from the Internet. The files are then executed.

Installation

When executed, the trojan copies itself into the following location:
  • %userprofile%\%username%.exe
In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run]
    "%username%" = "%userprofile%\%username%.exe /i"

Other information

The trojan contains a list of URLs. It tries to download several files from the addresses. The HTTP protocol is used.

These are stored in the following locations:
  • %temp%\bn%variable%.tmp
A string with variable content is used instead of %variable%.

The downloaded files contain encrypted executables. After decryption, the trojan runs these files.

The trojan creates and runs a new thread with its own program code within the following processes:
  • %system%\svchost.exe
The trojan launches the following processes:
  • netsh firewall set allowedprogram "%userprofile%\%username%.exe" ENABLE
The performed command creates an exception in the Windows Firewall.