Follow:

 

Virus:Win32/Slugin.A


Microsoft security software detects and removes this threat. 

This threat can install other malware, including Virus:Win32/Slugin.A!dll, which can give a malicious hacker access to your PC.

It can spread through network or removable drives, such as USB flash drives. It can also spread via infected email attachments. 



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Virus:Win32/Slugin.A tries to create the file "Wplugin.dll" in one of your computer's Application Data folders. It may also create a file named "explorer.exe.local" in the Windows folder.

It sends an email to the following addresses to notify them that your PC has been infected:

  • cvmb@hotmail.com
  • sv003@yahoo.com

It also creates the file "%LOCALAPPDATA%\Microsoft\Explorer\Win32Cfg.cfg", which contains virus configuration details.

Spreads via...

File infection

Virus:Win32/Slugin.A infects all .EXE and .DLL files in all available drives, including removable drives.

It may display the following message box if it tries to infect a file in, for example, drive A:

  • 1
Payload

Creates other malware

Virus:Win32/Slugin.A creates the following .DLL components in your computer:

These files are detected as Virus:Win32/Slugin.A!dll.

Allows backdoor access and control

Virus:Win32/Slugin.A opens multiple TCP ports between 10100 and 10300 to listen to commands from a remote attacker. These commands include, but are not limited to, the following:

  • Uploading and downloading files
  • Starting or stopping system services
  • Sending spam messages

Your computer may display the following message box, as this virus tries to allow a remote attacker to connect and listen in on your computer:

  • 1

Steals PC information

Virus:Win32/Slugin.A can send an email to the address "cvbm@hotmail.com", containing information about your PC, such as your network configuration. The email is sent from the address "sv003@yahoo.com" and has the subject workshop".

Analysis by Patrik Vicol and Jim Wang


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following file:
    %windir%\explorer.exe.local
     
  • The display of the following messages:
     
    1
    2

Prevention


Alert level: Severe
First detected by definition: 1.45.1132.0
Latest detected by definition: 1.185.144.0 and higher
First detected on: Oct 27, 2008
This entry was first published on: Aug 23, 2009
This entry was updated on: Oct 12, 2014

This threat is also detected as:
  • Win32/Slugin.A (CA)
  • Trojan.Win32.Patched.dj (Kaspersky)
  • W32/Slugin-A (Sophos)
  • Win32/Slugin.A (AVG)
  • Win32.Slugin.A (BitDefender)
  • W32/Wplugin (McAfee)
  • W32/Wplugin.A (Panda)