TROJ_WMIGHOST.A

Malware type: Trojan

Aliases: No Alias Found

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

Low

Description: 

A Trojan horse program is a malware that is not capable of automatically spreading to other systems. Trojans are usually downloaded from the Internet and installed by unsuspecting users.

Trojans typically carry payloads or other malicious actions that can range from the mildly annoying to the irreparably destructive. They may also modify system settings to automatically start. Restoring affected systems may require procedures other than scanning with an antivirus program.

For additional information about this threat, see:

Description created: May. 18, 2010 4:17:14 AM GMT -0800


TECHNICAL DETAILS


File type: Script

Memory resident:  Yes

Size of malware: Varies

Initial samples received on: May 18, 2010

Details:

Arrival Details

This Trojan may arrive bundled with malware packages as a malware component.

TROJ_WMIGHOST.A is Trend Micro detection for malicious WMI (Windows Management Instrumentation) Script.

TROJ_WMIGHOST.A bundles with the following malware in order to fully perform its malicious routine:

  • BKDR_HTTBOT.EA

TROJ_WMIGHOST.A has the capability to gather file(s) with the following file extension:

  • txt
  • rtf
  • doc
  • pdf
  • docx
  • xls
  • xlsx
  • ppt
  • pptx

The collected target files are saved in the following folder:

  • %Windows%\temp\syslog\p

This malware will compress the collected file(s) using CAB Format before it sends via HTTP Post to the following

server:
  • http://abhisheksingh.blog.com/feed/

Backdoor Capabilities

It connects to the following Web site to receive commands and send command results:

  • http://{BLOCKED}5.blog.com/feed/

Read more about this threat incident in the Malware Blog entry "Windows WMI Abused for Malware Operations"

Analysis By: Romeo dela Cruz


SOLUTION


Minimum scan engine version needed: 8.900


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Step 1: AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, use Trend Micro's special fixtool. Download, extract, and run the said fixtool in the same folder where your latest Trend Micro pattern file is located. For more details, refer to the fixtool's incorporated text file.

Step 2: MANUAL REMOVAL INSTRUCTIONS

 

Remove malware files related to TROJ_WMIGHOST.A  

    BKDR_HTTBOT.EA

For Windows ME and XP users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.