Winker (q)
(Backdoor.Winker.q)

by ?

The name "winker" is derived from "WinKernal"

Written in Visual C++

Released in November 2004

Made in China

more versions 


Backdoor.Winker.q:
dropped files:
c:\WINDOWS\system32\handle.dat   size: 64 bytes 
c:\WINDOWS\system32\ieconfig.dat size: 384 bytes 
c:\WINDOWS\system32\iekernal.dat size: 17.228 bytes 
c:\WINDOWS\system32\msieknl2.dll size: 40.449 bytes 
c:\WINDOWS\system32\msknl2.exe   size: 114.690 bytes 
c:\WINDOWS\system32\tmphtm.htm   size: 6 bytes 

added to registry:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU
HKEY_CURHKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\ProgID
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\Programmable
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\VersionIndependentProgID
HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj\CurVer
HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj.1\CLSID
HKEY_CLASSES_ROOT\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\TypeLib
HKEY_CLASSES_ROOT\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\0\win32
HKEY_CLASSES_ROOT\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\FLAGS
HKEY_CLASSES_ROOT\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPublisher\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPublisher\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPublisher\CTLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE7C3CF0-4B15-11D1-ABED-709549C10000}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs

tested on Windows XP
MegaSecurity