Home Malware Programs Backdoors Backdoor.Winnti


Posted: November 4, 2011

Threat Metric

Threat Level: 6/10
Infected PCs: 67
First Seen: November 4, 2011
OS(es) Affected: Windows

Winnti may refer to either Winnti malware, a nickname for a backdoor Trojan that is used in gaming company-targeted attacks, or Winnti, the group of criminals that is responsible for these attacks. Attacks linked to Winnti appear to be targeting both the source codes of gaming applications and related digital certificates. Winnti backdoor Trojans and related PC threats, like Trojan.Win32.KillWin.sp, may be protected by inaccurate digital signatures, and SpywareRemove.com malware researchers warn that Winnti Trojans are capable of granting criminals a high-level of access to, as well as control over, any infected PC. With dozens of gaming companies already compromised by Winnti attacks, the remainder of those yet unvictimized should exercise suitable PC security protocols and use anti-malware software whenever necessary to block and remove Winnti-related PC threats.

Winnti: the Professional Malware Campaign that Got to the Customers by Accident

Winnti malware like Trojan.Win32.KillWin.sp (a combination of spyware and hard drive wiper) is directed at the PCs of various gaming companies, with the distribution handled through a combination of website-based Flash exploits, as well as spyware-based attacks that compromise the login data of any easily-accessible computers. As a serious PC security footnote, SpywareRemove.com malware experts stress that the Winnti team – while energetic and willing to compromise large numbers of computers from a wide range of targets – also appear to be deterred by sufficiently robust security features that prevent their backdoor attacks from accessing related PCs easily.

In spite of preferring professional industry targets, the Winnti malware achieved especially widespread interest after Winnti accidentally attacked and infected the PCs of a gaming company's customer base (through a compromised update package). These customers were subjected to the Winnti attacks that are similar to those that target gaming company-owned computers:

  • Backdoor vulnerabilities that enable the Winnti team to control a computer directly, issuing commands, changing settings and opening/terminating programs at will.
  • The theft of your personal information, such as Windows login data, gaming application source codes and data related to digital certificates.

Countries around the world have been subjected to Winnti's attacks. SpywareRemove.com malware research team specifically notes the presence of South Korea, the United States, Germany and Brazil in Winnti's list of targets – all of which are populous countries with a significant presence in the online gaming industry.

Stopping Your Computer from Being the Next Link in the Chain of Winnti Infections

For both Windows 32-bit and 64-bit systems, backdoor Trojans associated with Winnti have a high usage rate of 'legitimate' digital signatures – which, in most cases, are revoked as soon as their exploitation has been identified. While such defenses may fool some PC users and very basic security software, appropriate anti-malware scanners still shouldn't have any problems in detecting Winnti-based PC threats.

Of course, deleting Winnti malware of any type always should use suitable anti-malware tools. If you're using a PC with a non-standard file system (such as a Mac), you may even be more interested than a normal Windows PC users in blocking possible Winnti infection vectors: SpywareRemove.com malware experts have confirmed that some PC threats linked to Winnti actually will wipe out any hard drive data based on non-Windows file structures. Flash vulnerabilities like Exploit.SWF.CVE-2013-0634.a usually are the initial origin of Winnti Trojans onto a network, but once a single computer on a network has been compromised, further attacks may use other means of compromised any associated systems.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Backdoor.Winnti may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria .

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

apphelp.dll File name: apphelp.dll
Size: 112.59 KB (112592 bytes)
MD5: 508f0af84d83e093bf6910dbab45421f
Detection count: 20
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Last Updated: November 7, 2011
%System%\winmm.dll File name: %System%\winmm.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
%System%\drivers\ acplec.sys File name: %System%\drivers\ acplec.sys
File type: System file
Mime Type: unknown/sys
Group: Malware file
%System%\drivers\ sp1itter.sys File name: %System%\drivers\ sp1itter.sys
File type: System file
Mime Type: unknown/sys
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[SERVICE NAME]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\"data" = "[RANDOM CHARACTERS]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acplec HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sp1itter

Related Posts