TROJ_DROPPER.VVE
Trojan.Win32.Generic!BT (Sunbelt)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It deletes itself after execution.
TECHNICAL DETAILS
204,800 bytes
EXE
Yes
30 May 2012
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Autostart Technique
This Trojan registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaieSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynaSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynbSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsyncSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsyndSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsyneSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynfSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsyngSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynhSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsyniSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynjSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynkSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynlSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynmSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynnSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynoSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynpSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynqSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynrSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynsSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsyntSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynuSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynvSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynwSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynxSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynySvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynzSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsynaSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsynbSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsyncSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsyndSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsyneSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsynfSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsyngSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsynhSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsyniSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsynjSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsynkSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsynlSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsynmSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsynnSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsynoSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsynpSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakaSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakbSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakcSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakdSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakeSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakfSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakgSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakhSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakiSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakjSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakkSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaklSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakmSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaknSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakoSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakpSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakqSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakrSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaksSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaktSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakuSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakvSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakwSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakxSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakySvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakzSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalaSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalbSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalcSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaldSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaleSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalfSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalgSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalhSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaliSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaljSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalkSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WallSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalmSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalnSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaloSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalpSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalqSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalrSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalsSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaltSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaluSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalvSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalwSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalxSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalySvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalzSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamaSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WambSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamcSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamdSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WameSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamfSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamhSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamiSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamjSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamkSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamlSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WammSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamnSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamoSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WampSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamqSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamrSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamsSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamtSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamuSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamvSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamwSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamxSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamySvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamzSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanaSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanbSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WancSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WandSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaneSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanfSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WangSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanhSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaniSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanjSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WankSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanlSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanmSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WannSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanoSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanpSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanqSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanrSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WansSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WantSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanuSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanvSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanwSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanxSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanySvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanzSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaoaSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaobSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaocSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaodSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaoeSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaofSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaogSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaohSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaoiSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaojSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaokSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaolSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaomSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaonSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaooSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaopSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaoqSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaorSvc
Other System Modifications
This Trojan deletes the following files:
- %Windows%\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.184.42718
- %Windows%\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.184.42734
- %User Profile%\v2.0.50727.42\security.config.cch.184.42859
- %System Root%\Tcpz-x86.sys
- %Windows%\SoftwareDistribution\DataStore\Logs\edbtmp.log
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
It adds the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Eventlog\Application\
Service1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
ESENT\Process\lib32waos
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
ESENT\Process\lib32waos\
DEBUG
HKEY_LOCAL_MACHINE\Software\Description\
Microsoft\Rpc\UuidTemporaryData
It adds the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\WaosSvc
Description = "{random characters}"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\WaosSvc
FailureActions = "{random values}"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Eventlog\Application\
Service1
EventMessageFile = "%Windows%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Description\
Microsoft\Rpc\UuidTemporaryData
NetworkAddress = "{random values}"
HKEY_LOCAL_MACHINE\SOFTWARE\Description\
Microsoft\Rpc\UuidTemporaryData
NetworkAddressLocal = "0"
It modifies the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Eventlog\Application
Sources = "{random characters}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Eventlog\Application\
ESENT
EventMessageFile = "%System%\ESENT.dll"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Eventlog\Application\
ESENT
CategoryMessageFile = "%System%\ESENT.dll"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Eventlog\Application\
ESENT
CategoryCount = "1"
(Note: The default value data of the said registry entry is 10.)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Eventlog\Application\
ESENT
TypesSupported = "7"
(Note: The default value data of the said registry entry is 7.)
Dropping Routine
This Trojan drops the following files:
- mrwyAFH.exe
- lnquxEK.exe
Other Details
This Trojan deletes itself after execution.
This report is generated via an automated analysis system.
SOLUTION
9.200
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Restart in Safe Mode
Step 3
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaieSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynaSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynbSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsyncSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsyndSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsyneSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynfSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsyngSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynhSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsyniSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynjSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynkSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynlSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynmSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynnSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynoSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynpSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynqSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynrSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynsSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsyntSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynuSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynvSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynwSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynxSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynySvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynzSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsynaSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsynbSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsyncSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsyndSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsyneSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsynfSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsyngSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsynhSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsyniSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsynjSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsynkSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsynlSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsynmSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsynnSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsynoSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsynpSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakaSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakbSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakcSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakdSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakeSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakfSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakgSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakhSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakiSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakjSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakkSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaklSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakmSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaknSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakoSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakpSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakqSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakrSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaksSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaktSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakuSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakvSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakwSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakxSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakySvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakzSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalaSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalbSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalcSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaldSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaleSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalfSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalgSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalhSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaliSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaljSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalkSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WallSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalmSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalnSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaloSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalpSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalqSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalrSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalsSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaltSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaluSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalvSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalwSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalxSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalySvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalzSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamaSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WambSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamcSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamdSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WameSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamfSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamhSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamiSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamjSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamkSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamlSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WammSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamnSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamoSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WampSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamqSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamrSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamsSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamtSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamuSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamvSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamwSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamxSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamySvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamzSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanaSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanbSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WancSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WandSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaneSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanfSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WangSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanhSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaniSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanjSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WankSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanlSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanmSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WannSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanoSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanpSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanqSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanrSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WansSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WantSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanuSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanvSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanwSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanxSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanySvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanzSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaoaSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaobSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaocSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaodSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaoeSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaofSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaogSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaohSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaoiSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaojSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaokSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaolSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaomSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaonSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaooSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaopSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaoqSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaorSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application
- Service1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process
- lib32waos
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\lib32waos
- DEBUG
- In HKEY_LOCAL_MACHINE\Software\Description\Microsoft\Rpc
- UuidTemporaryData
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WaosSvc
- Description = "{random characters}"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WaosSvc
- FailureActions = "{random values}"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Service1
- EventMessageFile = "%Windows%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc\UuidTemporaryData
- NetworkAddress = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc\UuidTemporaryData
- NetworkAddressLocal = "0"
Step 5
Restore this modified registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application
- From: Sources = "{random characters}"
To: Sources = ""{random values}""
- From: Sources = "{random characters}"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT
- From: EventMessageFile = "%System%\ESENT.dll"
To: EventMessageFile = ""{random values}""
- From: EventMessageFile = "%System%\ESENT.dll"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT
- From: CategoryMessageFile = "%System%\ESENT.dll"
To: CategoryMessageFile = ""{random values}""
- From: CategoryMessageFile = "%System%\ESENT.dll"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT
- From: CategoryCount = "1"
To: CategoryCount = ""10""
- From: CategoryCount = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT
- From: TypesSupported = "7"
To: TypesSupported = ""7""
- From: TypesSupported = "7"
Step 6
Search and delete these files
- mrwyAFH.exe
- lnquxEK.exe
Step 7
Restart in normal mode and scan your computer with your Trend Micro product for files detected as TROJ_DROPPER.VVE. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 8
Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.
- %Windows%\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.184.42718
- %Windows%\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.184.42734
- %User Profile%\v2.0.50727.42\security.config.cch.184.42859
- %System Root%\Tcpz-x86.sys
- %Windows%\SoftwareDistribution\DataStore\Logs\edbtmp.log
Did this description help? Tell us how we did.