The file WINSIT.EXE is identified as a virus dropper.
The dropper WINSIT.EXE is used for downloading and installing other malware, Trojans, viruses by the commands received from the Command Center.
The file WINSIT.EXE loads into the computer memory and tries to connect to the dangerous web site.
Usually the WINSIT.EXE dropper does not infect the files on the computer and does not replicate itself on other computers.
Kill the WINSIT.EXE process and delete the file WINSIT.EXE.
Malware Analysis of WINSIT.EXE
Full path on a computer: %SysDir%\WinSit.exe
Detected by UnHackMe:
Item Name: shell
Author: Unknown
Related File: Explorer.exe %SysDir%\WinSit.exe
Type: System.ini
Item Name: dc2k5
Author: Unknown
Related File: %WinDir%\SVIQ.EXE
Type: Registry Run
Item Name: Fun
Author: Unknown
Related File: %WinDir%\SYSTEM\FUN.EXE
Type: Registry Run
Item Name: dc
Author: Unknown
Related File: %WinDir%\DC.EXE
Type: Registry Run
Item Name: load
Author: Unknown
Related File: %WinDir%\inf\Other.exe
Type: Win.ini
Item Name: run
Author: Unknown
Related File: %SysDir%\config\Win.exe
Type: Win.ini
Item Name: Fun.exe
Author: Unknown
Related File: %WinDir%\SYSTEM\FUN.EXE
Type: Running Processes
Item Name: SVIQ.EXE
Author: Unknown
Related File: %WinDir%\SVIQ.EXE
Type: Running Processes
Item Name: dc.exe
Author: Unknown
Related File: %WinDir%\DC.EXE
Type: Running Processes
Item Name: DC.EXE
Author: Unknown
Related File: %WinDir%\DC.EXE
Type: Multi AV Detected Files
Item Name: FUN.EXE
Author: Unknown
Related File: %WinDir%\SYSTEM\FUN.EXE
Type: Multi AV Detected Files
Item Name: OTHER.EXE
Author: Unknown
Related File: %WinDir%\INF\OTHER.EXE
Type: Multi AV Detected Files
Item Name: WIN.EXE
Author: Unknown
Related File: %SYSDIR%\CONFIG\WIN.EXE
Type: Multi AV Detected Files
Item Name: WINSIT.EXE
Author: Unknown
Related File: %SYSDIR%\WINSIT.EXE
Type: Multi AV Detected Files
Removal Results: Success
Number of reboot: 1
WINSIT.EXE is known as:
Trojan.Yalove, Lurka.B, Win32:Sality, TrojWare.Agent.coar, HLLW.Dunduck, Virus.Sality.atbh (v), WORM_IMAUT.SME, Mal.VB-OE, Virut.nf.53248, Worm.VB.CB, Trojan.A.Agent.323584.EI, SScope.Trojan.VBRA.5235, Malware.Yalove, a variant of Win32.VB.NZK, Worm.Agent.auc, IM-Worm.VB, W32.Sality.BH, I-Worm.Brontok.AA, W32.VB.AFT.worm
WINSIT.EXE hash:
- MD5: a364641099a7384c724b4e97ac11cdb0
Registry:- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5: “%WinDir%\SVIQ.EXE”
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Fun: “%WinDir%\system\Fun.exe”
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\dc: “%WinDir%\dc.exe”
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: “Explorer.exe %SysDir%\WinSit.exe”
- HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load: “%WinDir%\inf\Other.exe”
- HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run: “%SysDir%\config\Win.exe”
Files:- %Temp%\~DFC430.tmp
- %Temp%\~DFC43F.tmp
- %Temp%\~DFC7C9.tmp
- %Temp%\~DFDA16.tmp
- %Temp%\~DFED1E.tmp
- %Temp%\~DFF46.tmp
- %WinDir%\Help\Other.exe
- %WinDir%\inf\Other.exe
- %WinDir%\system\Fun.exe
- %SysDir%\WinSit.exe
- %WinDir%\dc.exe
- %WinDir%\SVIQ.EXE
- %WinDir%\wininit.ini