home

setup_wdg.exe

winsys

The application setup_wdg.exe by winsys has been detected as adware by 17 anti-malware scanners. This is a trojan Bot that uses IRC to communicate with a comand and control network. The Trojan drops other malicious software and opens a backdoor on the infected computer and will run automatically on each boot. It is also typically executed from the user's temporary directory.
Publisher:
winsys  (signed and verified)

MD5:
06abd694f5a55a5b15ea92f693fb553d

SHA-1:
568fb8e6ce09c24e58d0950da35b6865d56f5f74

SHA-256:
c8d192f5c86b6660d75132e567fe8114f6c05334a0b81eb39a709a51bb14c89c

Scanner detections:
17 / 68

Status:
Adware

Explanation:
Part of a backdoor IRC bot network.

Analysis date:
4/19/2024 4:25:04 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Adware-gen [Adw]
2014.9-150525

Baidu Antivirus
Adware.Win32.KeywordFind
4.0.3.15525

Bkav FE
W32.HfsAdware
1.3.0.6379

Comodo Security
ApplicUnwnt
22026

ESET NOD32
Win32/AdWare.KeywordFind (variant)
9.11588

Fortinet FortiGate
Riskware/KeywordFind
5/25/2015

F-Prot
W32/Themida_Packed
v6.4.7.1.166

G Data
Win32.Application.Agent.8FG6EG
15.5.25

K7 AntiVirus
Adware
13.203.15829

McAfee
Artemis!06ABD694F5A5
5600.6754

Qihoo 360 Security
HEUR/QVM19.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Installer.winsys
15.5.25.13

Sophos
Generic PUA FG
4.98

Trend Micro House Call
TROJ_GEN.R047C0EBO15
7.2.145

Trend Micro
TROJ_GEN.R047C0EBO15
10.465.25

VIPRE Antivirus
Backdoor.Win32.Ircbot.gen
40018

File size:
917.5 KB (939,568 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\setup_wdg.exe

Digital Signature
Signed by:
winsys

Authority:
Thawte, Inc.

Valid from:
9/4/2013 9:00:00 AM

Valid to:
9/5/2015 8:59:59 AM

Subject:
CN=winsys, OU=Dev. Team, O=winsys, L=Gangnam-gu, S=SEOUL, C=KR

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
53E706A67C7D616DD8A05245E798A712

File PE Metadata
Compilation timestamp:
6/20/1992 7:22:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:XHqHgrj+newGwxkyVp9q7n8C9/+JNd1sJoqR8/0a9KxIgotDN:XHqwinewqMp9q7z9/ud1//pTf

Entry address:
0x208000

Entry point:
83, EC, 04, 50, 53, E8, 01, 00, 00, 00, CC, 58, 8B, D8, 40, 2D, 00, 40, 0A, 00, 2D, 5D, 36, 5F, 00, 05, 52, 36, 5F, 00, 80, 3B, CC, 75, 19, C6, 03, 00, BB, 00, 10, 00, 00, 68, 94, 77, 53, 20, 68, CE, 3C, 6B, 47, 53, 50, E8, 0A, 00, 00, 00, 83, C0, 00, 89, 44, 24, 08, 5B, 58, C3, 55, 8B, EC, 60, 8B, 75, 08, 8B, 4D, 0C, C1, E9, 02, 8B, 45, 10, 8B, 5D, 14, EB, 08, 31, 06, 01, 1E, 83, C6, 04, 49, 0B, C9, 75, F4, 61, C9, C2, 10, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.9181  (probably packed)

Code size:
478.5 KB (489,984 bytes)

Remove setup_wdg.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.