Global sites
SolutionsProductsPurchaseDownloadPartnersSupportCompanyThreat Center
Threat CenterEset Online scannerESET SysInspectorThreatSense® ThreatSense.Net® Security TipsThreat LevelThreat Dictionary
Threat Encyclopaedia
Update infoVirus Radar on your Website
Antivirus Software NOD32 > Threat Center > Threat Encyclopaedia > W

Threat Encyclopaedia

Print this pageSend

Win32/Wigon.NI

Aliases:Trojan-Ransom.Win32.DigiPog.ep (Kaspersky), TrojanDownloader:Win32/Cutwail.gen!C (Microsoft), PWS-Zbot.gen.ak (McAfee) 
Type of infiltration:Trojan  
Size:29184 B 
Affected platforms:Microsoft Windows 
Signature database version:4912 (20100303) 

Short description

Win32/Wigon.NI is a trojan that installs Win32/Wigon.KQ malware.

Installation

The trojan copies itself in the following locations:
  • %windir%\system32\reader_s.exe
  • %userprofile%\reader_s.exe
The files are then executed.

In order to be executed on every system start, the modifies the following Registry keys:
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run]
    "reader_s" = %windir%\system32\reader_s.exe"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run]
    "reader_s" = "%userprofile%\reader_s.exe"

Other information

The trojan creates and runs a new thread with its own program code within the following processes:
  • %system%\svchost.exe