W32.Wergimog
W32.Wergimog is a worm that's used for the same general purposes of attack as backdoor Trojans and Trojan downloaders. Despite being identified in March of 2012, W32.Wergimog's attack methods are considered somewhat archaic, and W32.Wergimog should be easy to detect and remove with any type of tolerably competent anti-malware application. However, SpywareRemove.com malware researchers warn against taking a W32.Wergimog infection lightly, since W32.Wergimog can inject its code into Windows components, copy itself to multiple locations, create backdoor vulnerabilities, steal private information and even install other PC threats. Since W32.Wergimog may attempt to spread to other computers through worm-vulnerable access points (such as local networks and USB drive devices), you should consider avoiding contact with removable devices or other computers until you're certain that you've deleted W32.Wergimog.
W32.Wergimog – Riding Explorer.exe to Your PC's Ruination
W32.Wergimog's presence is just barely visible in the form of randomly-named files in your Windows and system folders, as well in unusual memory usage from explorer.exe – wherein W32.Wergimog injects its code to accomplish other attacks. Other than these minor changes, W32.Wergimog will not show significant symptoms of being on your PC, and SpywareRemove.com malware researchers always recommend that you use appropriate software to identify and remove mid-level threats like W32.Wergimog. Since W32.Wergimog may also inject any PC that accesses a shared removable hard drive or a local network, you should take care to have other computers avoid these means of indirect contact until you've clarified the possibility or lack thereof of a W32.Wergimog infection.
W32.Wergimog's presence also coincides with the creation of a backdoor vulnerability in your PC. Besides being used to control your PC, this backdoor can be used to download and install other PC threats or even update W32.Wergimog's behavior. SpywareRemove.com malware researchers stress that these risks make it imperative that you delete W32.Wergimog with suitable security software as soon as you notice W32.Wergimog on your PC, before W32.Wergimog has a chance to complicate the situation by adding other types of harmful software into the mix.
Why You'll Have to Anticipate Quite a Lot from W32.Wergimog
W32.Wergimog can vary its behavior due to instructions from its server, but standard W32.Wergimog attacks tend to focus on attacking your computer's security, exploiting your computer's resources for criminal purposes or stealing personal information. A typical W32.Wergimog roster of dangers can include:
- Theft of passwords and similar types of private information, although SpywareRemove.com malware researchers have found that W32.Wergimog often restricts itself to stealing from Mozilla Firefox and Filezilla.
- Botnet traffic-flooding attacks that use your PC resources to shut websites down.
- Load URLs without permission.
- Download and launch other files, including PC threats.
- Create copies of itself on removable drives; these copies are often named Autorun.exe and are concealed in a Recycler folder.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%DriveLetter%\autorun.inf
File name: %DriveLetter%\autorun.infMime Type: unknown/inf
%DriveLetter%\RECYCLER\autorun.exe
File name: %DriveLetter%\RECYCLER\autorun.exeFile type: Executable File
Mime Type: unknown/exe
%Windir%\service[RANDOM NUMBER].exe
File name: %Windir%\service[RANDOM NUMBER].exeMime Type: unknown/exe
%System%\service[RANDOM NUMBER].exe
File name: %System%\service[RANDOM NUMBER].exeFile type: Executable File
Mime Type: unknown/exe
Registry Modifications
HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Adobe Reader Speed Launcher" = "%System%\service[RANDOM NUMBER].exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Adobe Reader Speed Launcher" = "%Windir%\service[RANDOM NUMBER].exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Adobe Reader Speed Launcher" = "%Windir%\service[RANDOM NUMBER].exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Adobe Reader Speed Launcher" = "%Windir%\service[RANDOM NUMBER].exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Adobe Reader Speed Launcher" = "%System%\service[RANDOM NUMBER].exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Adobe Reader Speed Launcher" = "%System%\service[RANDOM NUMBER].exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\pPkzmsiesk\"ISkxnksnam" = "[RANDOM VALUE]"
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.