wings.exe - Dangerous
wings.exe
Manual removal instructions:
Antivirus Report of wings.exe:
wings.exe
We suggest you to remove wings.exe from your computer as soon as possible.
Wings.exe is Trojan/Backdoor.
Kill the process wings.exe and remove wings.exe from Windows startup.
File: webcam.exe
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.15 Win32:Flooder-BA
AVG 8.5.0.406 2009.08.16 IRC/BackDoor.Flood
BitDefender 7.2 2009.08.16 Dropped:Generic.IRC.Autorun.DDCDD7DE
Comodo 1993 2009.08.16 UnclassifiedMalware
DrWeb 5.0.0.12182 2009.08.16 IRC.Flood
F-Secure 8.0.14470.0 2009.08.16 Trojan:W32/Floodz.A
Kaspersky 7.0.0.125 2009.08.16 not-a-virus:Client-IRC.Win32.mIRC.603
Microsoft 1.4903 2009.08.16 Backdoor:IRC/Cloner.gen
NOD32 4340 2009.08.16 IRC/Flooder.Agent.A
Symantec 1.4.4.12 2009.08.16 IRC Trojan
Additional information
File size: 736714 bytes
MD5 : 071a4127e7325250cec1a00078180462
SHA1 : f6b6279717ce270880bc569273c7ec8b71ebe877
-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys added:24
----------------------------------
HKLM\SOFTWARE\Classes\.cha
HKLM\SOFTWARE\Classes\.chat
HKLM\SOFTWARE\Classes\ChatFile
HKLM\SOFTWARE\Classes\ChatFile\DefaultIcon
HKLM\SOFTWARE\Classes\ChatFile\Shell
HKLM\SOFTWARE\Classes\ChatFile\Shell\open
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\command
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic
HKLM\SOFTWARE\Classes\irc
HKLM\SOFTWARE\Classes\irc\DefaultIcon
HKLM\SOFTWARE\Classes\irc\Shell
HKLM\SOFTWARE\Classes\irc\Shell\open
HKLM\SOFTWARE\Classes\irc\Shell\open\command
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC
HKCU\Software\Microsoft\Microsoft Agent
HKCU\Software\mIRC
HKCU\Software\mIRC\DateUsed
----------------------------------
Values added:44
----------------------------------
HKLM\SOFTWARE\Classes\.cha\: "ChatFile"
HKLM\SOFTWARE\Classes\.chat\: "ChatFile"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\: "Connect"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\: "%1"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\: "ms32"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\: "%1"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\command\: ""c:\windows\system32\wings.exe" -noconnect"
HKLM\SOFTWARE\Classes\ChatFile\DefaultIcon\: ""c:\windows\system32\wings.exe""
HKLM\SOFTWARE\Classes\ChatFile\: "Chat File"
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\: "Connect"
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\: "%1"
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\: "ms32"
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\: "%1"
HKLM\SOFTWARE\Classes\irc\Shell\open\command\: ""c:\windows\system32\wings.exe" -noconnect"
HKLM\SOFTWARE\Classes\irc\DefaultIcon\: ""c:\windows\system32\wings.exe""
HKLM\SOFTWARE\Classes\irc\: "URL:IRC Protocol"
HKLM\SOFTWARE\Classes\irc\EditFlags: 02 00 00 00
HKLM\SOFTWARE\Classes\irc\URL Protocol: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinSmsFi: "wings.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC\DisplayName: "mIRC"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC\UninstallString: ""c:\windows\system32\wings.exe" -uninstall"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\wings.exe: "C:\WINDOWS\system32\wings.exe:*:Enabled:mIRC"
HKCU\Software\Microsoft\Microsoft Agent\VoiceEnabled: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\UseVoiceTips: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\KeyHoldHotKey: 0x00000091
HKCU\Software\Microsoft\Microsoft Agent\UseBeepSRPrompt: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\SRTimerDelay: 0x000007D0
HKCU\Software\Microsoft\Microsoft Agent\SRModeID: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKCU\Software\Microsoft\Microsoft Agent\EnableSpeaking: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\UseBalloon: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\UseCharacterFont: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\UseSoundEffects: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\SpeakingSpeed: 0x00000005
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetX: 0x000F423F
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetY: 0x000F423F
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetWidth: 0x00000000
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetHeight: 0x00000000
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetPage: 0x00000000
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowLeft: 0xFFFFFFFF
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowTop: 0xFFFFFFFF
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowWidth: 0x000000C8
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowHeight: 0x000000C8
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowLocationSet: 0x00000000
HKCU\Software\mIRC\DateUsed\: "1250510449"
----------------------------------
Values modified:2
----------------------------------
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page: "http://www.google.com/"
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page: "Http://www.chatmuhabbet.net"
----------------------------------
Files added:12
----------------------------------
C:\WINDOWS\system32\Chans.dll
C:\WINDOWS\system32\demo.xt
C:\WINDOWS\system32\email.txt
C:\WINDOWS\system32\fn.xt
C:\WINDOWS\system32\fucker.jpg
C:\WINDOWS\system32\mIRC.ini
C:\WINDOWS\system32\nHTMLn_2.95.dll
C:\WINDOWS\system32\server.dll
C:\WINDOWS\system32\Sfwwin32.dll
C:\WINDOWS\system32\sysingB32.dll
C:\WINDOWS\system32\win.ini
C:\WINDOWS\system32\wings.exe
----------------------------------
Files [attributes?] modified:0
----------------------------------
----------------------------------
Folders added:3
----------------------------------
C:\WINDOWS\system32\download
C:\WINDOWS\system32\logs
C:\WINDOWS\system32\sounds
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Total changes:85
----------------------------------
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:
Item Name: WinSmsFi
Author: mIRC Co. Ltd.
Related File: wings.exe
Type: Registry Run
Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
wings.exe | Malware |
wings.exe | Dangerous |
wings.exe | High Risk |
Wings.exe is Trojan/Backdoor.
Kill the process wings.exe and remove wings.exe from Windows startup.
File: webcam.exe
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.15 Win32:Flooder-BA
AVG 8.5.0.406 2009.08.16 IRC/BackDoor.Flood
BitDefender 7.2 2009.08.16 Dropped:Generic.IRC.Autorun.DDCDD7DE
Comodo 1993 2009.08.16 UnclassifiedMalware
DrWeb 5.0.0.12182 2009.08.16 IRC.Flood
F-Secure 8.0.14470.0 2009.08.16 Trojan:W32/Floodz.A
Kaspersky 7.0.0.125 2009.08.16 not-a-virus:Client-IRC.Win32.mIRC.603
Microsoft 1.4903 2009.08.16 Backdoor:IRC/Cloner.gen
NOD32 4340 2009.08.16 IRC/Flooder.Agent.A
Symantec 1.4.4.12 2009.08.16 IRC Trojan
Additional information
File size: 736714 bytes
MD5 : 071a4127e7325250cec1a00078180462
SHA1 : f6b6279717ce270880bc569273c7ec8b71ebe877
-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys added:24
----------------------------------
HKLM\SOFTWARE\Classes\.cha
HKLM\SOFTWARE\Classes\.chat
HKLM\SOFTWARE\Classes\ChatFile
HKLM\SOFTWARE\Classes\ChatFile\DefaultIcon
HKLM\SOFTWARE\Classes\ChatFile\Shell
HKLM\SOFTWARE\Classes\ChatFile\Shell\open
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\command
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic
HKLM\SOFTWARE\Classes\irc
HKLM\SOFTWARE\Classes\irc\DefaultIcon
HKLM\SOFTWARE\Classes\irc\Shell
HKLM\SOFTWARE\Classes\irc\Shell\open
HKLM\SOFTWARE\Classes\irc\Shell\open\command
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC
HKCU\Software\Microsoft\Microsoft Agent
HKCU\Software\mIRC
HKCU\Software\mIRC\DateUsed
----------------------------------
Values added:44
----------------------------------
HKLM\SOFTWARE\Classes\.cha\: "ChatFile"
HKLM\SOFTWARE\Classes\.chat\: "ChatFile"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\: "Connect"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\: "%1"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\: "ms32"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\: "%1"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\command\: ""c:\windows\system32\wings.exe" -noconnect"
HKLM\SOFTWARE\Classes\ChatFile\DefaultIcon\: ""c:\windows\system32\wings.exe""
HKLM\SOFTWARE\Classes\ChatFile\: "Chat File"
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\: "Connect"
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\: "%1"
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\: "ms32"
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\: "%1"
HKLM\SOFTWARE\Classes\irc\Shell\open\command\: ""c:\windows\system32\wings.exe" -noconnect"
HKLM\SOFTWARE\Classes\irc\DefaultIcon\: ""c:\windows\system32\wings.exe""
HKLM\SOFTWARE\Classes\irc\: "URL:IRC Protocol"
HKLM\SOFTWARE\Classes\irc\EditFlags: 02 00 00 00
HKLM\SOFTWARE\Classes\irc\URL Protocol: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinSmsFi: "wings.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC\DisplayName: "mIRC"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC\UninstallString: ""c:\windows\system32\wings.exe" -uninstall"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\wings.exe: "C:\WINDOWS\system32\wings.exe:*:Enabled:mIRC"
HKCU\Software\Microsoft\Microsoft Agent\VoiceEnabled: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\UseVoiceTips: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\KeyHoldHotKey: 0x00000091
HKCU\Software\Microsoft\Microsoft Agent\UseBeepSRPrompt: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\SRTimerDelay: 0x000007D0
HKCU\Software\Microsoft\Microsoft Agent\SRModeID: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKCU\Software\Microsoft\Microsoft Agent\EnableSpeaking: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\UseBalloon: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\UseCharacterFont: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\UseSoundEffects: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\SpeakingSpeed: 0x00000005
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetX: 0x000F423F
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetY: 0x000F423F
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetWidth: 0x00000000
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetHeight: 0x00000000
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetPage: 0x00000000
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowLeft: 0xFFFFFFFF
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowTop: 0xFFFFFFFF
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowWidth: 0x000000C8
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowHeight: 0x000000C8
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowLocationSet: 0x00000000
HKCU\Software\mIRC\DateUsed\: "1250510449"
----------------------------------
Values modified:2
----------------------------------
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page: "http://www.google.com/"
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page: "Http://www.chatmuhabbet.net"
----------------------------------
Files added:12
----------------------------------
C:\WINDOWS\system32\Chans.dll
C:\WINDOWS\system32\demo.xt
C:\WINDOWS\system32\email.txt
C:\WINDOWS\system32\fn.xt
C:\WINDOWS\system32\fucker.jpg
C:\WINDOWS\system32\mIRC.ini
C:\WINDOWS\system32\nHTMLn_2.95.dll
C:\WINDOWS\system32\server.dll
C:\WINDOWS\system32\Sfwwin32.dll
C:\WINDOWS\system32\sysingB32.dll
C:\WINDOWS\system32\win.ini
C:\WINDOWS\system32\wings.exe
----------------------------------
Files [attributes?] modified:0
----------------------------------
----------------------------------
Folders added:3
----------------------------------
C:\WINDOWS\system32\download
C:\WINDOWS\system32\logs
C:\WINDOWS\system32\sounds
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Total changes:85
----------------------------------
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:
Item Name: WinSmsFi
Author: mIRC Co. Ltd.
Related File: wings.exe
Type: Registry Run
Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.