Virus Profile: W32/Wplugin

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 10/16/2008
Date Added: 10/16/2008
Origin: N/A
Length: varies
Type: Virus
Subtype: Win32
DAT Required: 5407
Removal Instructions


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

The symptoms of infection are file, registry, and network communication referenced in the characteristics section.

Methods of Infection

Viruses are self-replicating. They often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.


Backdoor.ceBot.c (Quick Heal), BackDoor.ProRat.266 (Doctor Web), Backdoor.Win32.ceBot.c (Kaspersky), PE_WPLUG.A (Trend Micro), Virus:Win32/Slugin.A (Microsoft), W32.Slugin.A!inf (Symantec), W32/Agent.IYJK.dropper (Norman), W32/CeBot.C!tr.bdr (Fortinet), W32/Slugin-A (Sophos), Win32.Worm.IM.H (SOFTWIN), Win32:Trojan-gen {Other} (ALWIL), Worm.Kolabc.DI (VirusBuster)

Virus Characteristics

On execution it drops a DLL file Wplugin.dll and creates its copy as winhost32.exe at the following locations:

%USERPROFILE%\Application Data\Wplugin.dll
%SYSTEMROOT%\Wplugin.dll (md5sum: 0EA8AE8DD149E74C734BEB666CE5DA93)

Wplugin.dll is detected as W32/Wplugin.dll. W32/Wplugin then launches itself as winhost32.exe and deletes its copy from the location it started initially.

To start its execution on system reboot it adds following entries into the registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Host Service =  "winhost32.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Host Service = "winhost32.exe"

It also adds/modifies following registry entries:

HKCU\Software\Microsoft\OLE\Microsoft Host Service = "winhost32.exe"
HKLM\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs = 0x3A98
HKLM\Software\Licenses\{K7C0DB872A3F777C0} = 66 A4 D5 52 06 0E 1F FF ... 
HKCR\CLSID\{2DF8DBC8-3025-BA3E-6E71-6840F5235369}\PersistentHandler\(Default) = "{98de59a0-d175-11cd-a7bd-00006b827d94}"

It creates a mutex cBot-usb01 so that only one instance of the malware runs.

It also tries to connect to IRC servers and on TCP port 82. At the time of analysis both the servers were down and domain resolves to


A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.



PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!