| ID | 1870 |
| Released | Jan 21, 2004 |
| Description Updated | Jan 23, 2004 |
Detection Availability
| FortiClient | |
|---|---|
| Extreme |
|
| FortiMail | |
| Extreme |
|
| FortiSandbox | |
| Extreme |
|
| FortiWeb | |
| Extreme |
|
| Web Application Firewall | |
| Extreme |
|
| FortiIsolator | |
| Extreme |
|
| FortiDeceptor | |
| Extreme |
|
| FortiEDR |
|
Threat Profile
Aliases:- Adware-WinShow
- App/Winshow-A
- Downloader.Winshow.B
- TROJ_WINSHOW.A
- Trojan.WinShow
- TrojanDownloader.Win32.WinShow
- W32/Winshow!tr
- Win32/TrojanDownloader.WinShow.A
Win32 file format / PE 32 bit
Refine Search
Threat Encyclopedia
W32/Winshow!tr
Analysis
- Trojan is 32 bit with varied sizes, and exists as
a .DLL file
- Trojan acts as a proxy application, delivering
web content to a compromised system
- Trojan may periodically attempt to connect to the
web address '00hq.com' as a means of updating itself
- Trojan may have been introduced to the system from
a malicious web page that creates a downloader Trojan,
and this downloader retrieves the proxy Trojan
- The registry is modified to auto run the Trojan
files at Windows startup -
HKEY_CLASSES_ROOT\CLSID\
{6CC1C918-AE8B-4373-A5B4-28BA1851E39A}\InprocServer32\
"(Default)" = undefinedDocument Folderundefined\undefinedUserundefined\Application Data\winshow\winshow.dll
"ThreadingModel" = ApartmentHKEY_CLASSES_ROOT\CLSID\
{6CC1C91A-AE8B-4373-A5B4-28BA1851E39A}\InprocServer32\
"(Default)" = undefinedDocument Folderundefined\undefinedUserundefined\Application Data\winlink\winlink.dll
"ThreadingModel" = Apartment
-
The Trojan makes additional registry adjustments related to the operation of the Trojan -
HKEY_CURRENT_USER\Software\WinShow\WinShow\
"ConfigVersion" = 00, 00, 00, 00
"Counter" = 00, 00, 00, 00
"DictVersion" = 00, 00, 00, 00
"LastDay" = 00, 00, 00, 00
"LastHPDay" = 00, 00, 00, 00
"LastUpdate" = 00, 00, 00, 00
"ModuleVersion" = 00, 00, 00, 00
"UpdateHour" = 00, 00, 00, 00HKEY_CURRENT_USER\Software\WinShow\WinShow\Save\URLSearchHooks\
"{6CC1C918-AE8B-4373-A5B4-28BA1851E39A}" = [data]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = [data]HKEY_CLASSES_ROOT\CLSID\
{6CC1C918-AE8B-4373-A5B4-28BA1851E39A}\
"(Default)" = ViewSource ClassHKEY_CLASSES_ROOT\CLSID\
{6CC1C918-AE8B-4373-A5B4-28BA1851E39A}\ProgID\
"(Default)" = WinShow.ViewSource.1HKEY_CLASSES_ROOT\CLSID\
{6CC1C918-AE8B-4373-A5B4-28BA1851E39A}\TypeLib\
"(Default)" = {2C671705-77A7-4592-A484-545087ED9EE8}HKEY_CLASSES_ROOT\CLSID\
{6CC1C918-AE8B-4373-A5B4-28BA1851E39A}\VersionIndependentProgID\
"(Default)" = WinShow.ViewSourceHKEY_CLASSES_ROOT\CLSID\
{6CC1C91A-AE8B-4373-A5B4-28BA1851E39A}\
"(Default)" = ViewSource ClassHKEY_CLASSES_ROOT\CLSID\
{6CC1C91A-AE8B-4373-A5B4-28BA1851E39A}\ProgID\
"(Default)" = winlink.ViewSource.1HKEY_CLASSES_ROOT\CLSID\
{6CC1C91A-AE8B-4373-A5B4-28BA1851E39A}\TypeLib\
"(Default)" = {2C671705-77A7-4592-A484-545087ED9EE8}HKEY_CLASSES_ROOT\CLSID\
{6CC1C91A-AE8B-4373-A5B4-28BA1851E39A}\VersionIndependentProgID\
"(Default)" = winlink.ViewSourceHKEY_CLASSES_ROOT\winlink.ViewSource\
"(Default)" = ViewSource ClassHKEY_CLASSES_ROOT\winlink.ViewSource\CLSID\
"(Default)" = {6CC1C91A-AE8B-4373-A5B4-28BA1851E39A}HKEY_CLASSES_ROOT\winlink.ViewSource\CurVer\
"(Default)" = winlink.ViewSource.1HKEY_CLASSES_ROOT\winlink.ViewSource.1\
"(Default)" = ViewSource ClassHKEY_CLASSES_ROOT\winlink.ViewSource.1\CLSID\
"(Default)" = {6CC1C91A-AE8B-4373-A5B4-28BA1851E39A}HKEY_CLASSES_ROOT\WinShow.ViewSource\
"(Default)" = ViewSource ClassHKEY_CLASSES_ROOT\WinShow.ViewSource\CLSID\
"(Default)" = {6CC1C918-AE8B-4373-A5B4-28BA1851E39A}HKEY_CLASSES_ROOT\WinShow.ViewSource\CurVer\
"(Default)" = WinShow.ViewSource.1HKEY_CLASSES_ROOT\WinShow.ViewSource.1\
"(Default)" = ViewSource ClassHKEY_CLASSES_ROOT\WinShow.ViewSource.1\CLSID\
"(Default)" = {6CC1C918-AE8B-4373-A5B4-28BA1851E39A}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Browser Helper Objects\
{6CC1C918-AE8B-4373-A5B4-28BA1851E39A}\
"(Default)" = WinShow module
"(Default)" = winlink moduleHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Uninstall\WinShow\
"DisplayName" = WinShow
"UninstallString" = regsvr32 /u /s undefinedDocument Folderundefined\undefinedUserundefined\Application Data\winshow\winshow.dll
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Uninstall the Trojan using Add/Remove Programs, and select "Winshow" if listed
