wstart32.exe - Dangerous
wstart32.exe
Manual removal instructions:
Antivirus Report of wstart32.exe:
wstart32.exe
W32.HLLW.Gaobot.CA is a minor variant of W32.HLLW.Gaobot.AO.
It attempts to spread to network shares that have weak passwords and allows hackers to access an infected computer through an IRC channel.
The worm uses multiple vulnerabilities to spread, including:
The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135
The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445
The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80
Steals CD keys of Computer games.
Allows unauthorized execution of remote commands. Terminates security software programs.
Listens on randomly calculated ports, ranging from 1000 to 3000 and one from above 10000, and waits for other computers to download the worm.
Copies itself to administrative shares on machines with weak passwords as %System%\wstart32.exe.
And adds the value:
"Windows Loader"="wstart32.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
and
"Configuration Loader" = "%System%\wstart32.exe" -service
to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nm
Use RegRun Startup Optimizer to automatically remove it from startup.
wstart32.exe | Malware |
wstart32.exe | Dangerous |
wstart32.exe | High Risk |
It attempts to spread to network shares that have weak passwords and allows hackers to access an infected computer through an IRC channel.
The worm uses multiple vulnerabilities to spread, including:
The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135
The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445
The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80
Steals CD keys of Computer games.
Allows unauthorized execution of remote commands. Terminates security software programs.
Listens on randomly calculated ports, ranging from 1000 to 3000 and one from above 10000, and waits for other computers to download the worm.
Copies itself to administrative shares on machines with weak passwords as %System%\wstart32.exe.
And adds the value:
"Windows Loader"="wstart32.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
and
"Configuration Loader" = "%System%\wstart32.exe" -service
to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nm
Use RegRun Startup Optimizer to automatically remove it from startup.
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.