Products Support Partners Company News    
 

InterMute > Threat Research

Wink is a family of parasites based on an original dialler. It cannot be detected by the script at this site.

Some variants of Wink are actual diallers; others have had this function disabled and act only as adware.

Variants

Wink/Party: dialler, program file in 'files\dialers\online_party\online_party.exe'.

Wink/hot: various diallers: at least hot_swiss, hot_canada and hotsurprise_in have been seen. Program file is in the form 'dialers\hot_swiss\hot_swiss.exe' (and so on for the other variants).

Wink/HornyCam: various diallers: at least hornycam_jp has been seen. Program file is in the form 'comsoft\dialers\hornycam_jp\hornycam_jp.exe'.

Wink/EasyDates: various diallers: at least hornycam_jp has been seen. Program file is in the form 'comsoft\dialers\easydates_jp\easydates_jp.exe'.

Wink/UKVideo2: another dialler, program file 'dialers\ukvideo2\ukvideo2.exe'.

Wink/VideoAction: more diallers: at least videoaction_se has been seen. Program file in the form 'comsoft\dialers\videoaction_se\videoaction_se.exe'.

Wink/DateMaker: more diallers: at least datemakerspain and datemakerintl have been seen. Program file in the form 'dialers\datemakerspain\datemakerspain.exe' and so on. Uses registry key 'HKEY_CLASSES_ROOT\dting File' instead of 'WINK file'. Detected by Sophos anti-virus as Dial/Datemake and by Panda anti-virus as Trj/Pornspa.

Wink/ASWnk: not a dialler. Opens pop-up ads from fassia.net. Program file is ASWnk.exe in a Program Files folder called 'primesoft\ASWnk' (instead of the usual 'dialers').

Wink/nsdlua: not a dialler. Opens pop-up ads from (deep breath) 0-ol1oiz-xolxii1-oxli10ozl1l1-o-l-11-iizxp-l-0o-oll11iz0oil-ol.com. Program file is 'dialers\nsdlua\nsdlua.exe'. This is known to be loaded as a fake pop-up-killer application (which claims it has failed to run), by stopannoyingpopups.com; exploitation of an IE security hole is suspected here.

Wink/mscnt: not a dialler. Program file is 'mscnt.exe', hidden in the Windows System[32] folder instead of Program Files.

Wink/dluca: not a dialler. Program file is 'msinstall\dlu32\dluca\dluca.exe', hidden in the Windows System[32] folder instead of Program Files.

Wink/infwin: not a dialler. Program file is 'infwin.exe', hidden in the Windows System[32] folder instead of Program Files.

Wink/win and Wink/win32: not a dialler. Program file depends on country; at least 'winde.exe', 'win32us.exe', 'win32gb.exe' have been seen, in the Windows System[32] folder.

What it does

Advertising

Yes, in many of the non-dialler variants, see above.

Privacy violation

No.

Security issues

Wink can download and execute arbitrary unsigned code from its controlling server at 204.177.92.204.

Stability issues

None known.

Removal

It also puts an entry in Add/Remove Programs to run a file '[variant name]_uninstall.exe' in the Windows System folder, which doesn't uninstall the software, but in dialler variants makes the software hide instead of showing itself at startup.

Manual removal

Wink can be spotted by opening the registry (click 'Start', choose 'Run', enter 'regedit') and finding the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run; Wink variants have a characteristic run string ending in '/noconnect'. This entry should be deleted, along with the key HKEY_CURRENT_USER\Software\SiteIcons, and, in dialler variants, HKEY_CLASSES_ROOT\.WINK and HKEY_CLASSES_ROOT\WINK File.

If you use Netscape 4, dialler variants will also add themselves to the 'User Trusted External Applications' in HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator; its entries here should be deleted.

Then restart and delete the program file, which usually lives in a folder called 'dialers' in 'C:\Program Files', but see the variant information above.

 
 
Products | Support | Partners | Company | News   Copyright (c) 1989-2005 Trend Micro Incorporated. All rights reserved.
InterMute - The Web Your Way