Virus:Win32/Slugin.A!dll

(?)

Encyclopedia entry
Updated: Apr 17, 2011 | Published: Jun 01, 2010

Aliases

Win-Trojan/Slugin.110592

AhnLab

W32/Slugin.A (Command)
W32/Slugin.drop (Avira)
Win32/Slugin.A (CA)
Trojan.PWS.MSNPass.75 (Dr.Web)
W32/Wplugin.dll (McAfee)
W32/Wplugin.A.drp (Panda)
Trojan.Win32.Nodef.dri (Rising AV)
W32/Slugin-A (Sophos)
Trojan.Win32.Slugin.a!dll (Sunbelt Software)
W32.Slugin.A (Symantec)
PE_WPLUG.A-O (Trend Micro)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.

Detection last updated:
Definition: 1.127.131.0
Released: May 17, 2012

Detection initially created:
Definition: 1.45.1132.0
Released: Oct 27, 2008

Summary

Virus:Win32/Slugin.A!dll is the DLL component of Virus:Win32/Slugin.A. It contains the infection routine for the virus.

Top

Symptoms

System changes

The following system changes may indicate the presence of this malware:

The presence of the following files:
<windir>\wplugin.dll

<windir>\ws2help.dll

%ProgramFiles%\Messenger\ws2help.dll

Top

Technical Information (Analysis)

Virus:Win32/Slugin.A!dll is the DLL component of Virus:Win32/Slugin.A. It contains the infection routine for the virus.

Installation

Virus:Win32/Slugin.A!dll may be created by Virus:Win32/Slugin.A as the following files:

<windir>\wplugin.dll
<windir>\ws2help.dll
%ProgramFiles%\Messenger\ws2help.dll

Spreads via...

File infection

Virus:Win32/Slugin.A!dll looks for EXE Files to infect in all fixed, removable, and remote drives. It replaces 434 bytes from the entry point of the target file with its own code. The original 434 bytes, a copy of the malicious DLL, and some other virus data are then appended to the target file.

Payload

Sends infection notification

Virus:Win32/Slugin.A!dll sends an e-mail message to a remote attacker containing information about the infection. The message is sent via the following mail servers:

mx1.hotmail.com
mx2.hotmail.com

The message is sent to the address "cvmb@hotmail.com" from the address "sv003@yahoo.com".

Allows limited backdoor access and control

Virus:Win32/Slugin.A!dll opens port 10100 on the infected computer. This allows the attacker to generate Web pages to perform the following actions on the computer:

Upload files to and from the computer
Kill services
Change services settings

Analysis by Jaime Wong

Top

Prevention

Take these steps to help prevent infection on your computer.

Top

Recovery

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.

Top


	Provide feedback Please note: While your feedback is very important to us, we do not respond to individual submissions through this channel. Feedback, requests, or questions submitted through this form are monitored, however responses are not generated. If you require support, please visit the Safety & Security Center.