TrojanDownloader:Win32/Wixud.gen!A is a trojan that downloads and executes arbitrary files and makes a number of modifications to an affected user's system settings.
Installation
When TrojanDownloader:Win32/Wixud.gen!A is executed it checks for the following conditions:
- if the year is greater than 2007 or;
- if the month is greater than October or;
- if the day is greater than 10.
If any of these conditions are found to be true, it deletes itself by using a batch file, "del.bat", which it creates in the current directory (the directory where the Trojan was originally executed from).
Otherwise, it continues to execute and perform its payload.
Payload
Modifies System Settings
TrojanDownloader:Win32/Wixud.gen!A disables animations, sounds and videos in web pages by making the following registry modifications:
Adds value with data: "Play_Animations" = "no"
Adds value with data: "Play_Background_Sounds" = "no"
Adds value with data: "Display Inline Videos" = "no"
To subkey: HKCU\Software\Microsoft\Internet Explorer\Main
TrojanDownloader:Win32/Wixud.gen!A enables the "disable popup blocking" feature in Internet Explorer (IE) by adding the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 1809 = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 1809 = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1809 = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1809 = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1809 = 0
TrojanDownloader:Win32/Wixud.gen!A disables the "Information Bar" in IE by adding the following registry entry:
Adds value: WarnonZoneCrossing
With data: 0
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
It also disables the launching of applications and files in an IFRAME by modifying the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 1804 from 0 to 3
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 1804 from 1 to 3
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1804 from 0 to 3
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1804 from 1 to 3
Downloads and Executes Arbitrary Files
TrojanDownloader:Win32/Wixud.gen!A may connect to a remote site on the winxpupdate.info domain to download files, receive instruction to visit other malicious sites, or to get statistics on how many systems have been infected by the malware.
