Limited Time!
Totally FREE Web Design!
Click here!

Parasite: Wink

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

Wink is a family of diallers and other parasites based on similar code. Some variants of Wink are actual diallers; others have had this function disabled and act only as adware.

Wink’s variants are controlled by sites affiliated with the Lexitrans porn network, generally using unnamed servers in the IP range 204.177.92.x-204.177.93.x.

Variants

Wink variants are uncountably many, including the different versions for different countries. These are some of the most widely-seen variants.

Wink/Party: dialler, program file in ‘files\dialers\online_party\online_party.exe’.

Wink/hot: various diallers: at least hot_swiss, hot_canada and hotsurprise_in have been seen. Program file is in the form ‘dialers\hot_swiss\hot_swiss.exe’ (and so on for the other variants).

Wink/HornyCam: various diallers: at least hornycam_jp has been seen. Program file is in the form ‘comsoft\dialers\hornycam_jp\hornycam_jp.exe’.

Wink/EasyDates: various diallers: at least easydates_jp has been seen. Program file is in the form ‘comsoft\dialers\easydates_jp\easydates_jp.exe’.

Wink/UKVideo2: another dialler, program file ‘dialers\ukvideo2\ukvideo2.exe’.

Wink/VideoAction: more diallers: at least videoaction_se has been seen. Program file in the form ‘comsoft\dialers\videoaction_se\videoaction_se.exe’.

Wink/DateMaker: more diallers: at least datemakerspain and datemakerintl have been seen. Program file in the form ‘dialers\datemakerspain\datemakerspain.exe’ and so on. Uses registry key ‘HKEY_CLASSES_ROOT\dting File’ instead of ‘WINK file’. Detected by Sophos anti-virus as Dial/Datemake and by Panda anti-virus as Trj/Pornspa.

Wink/HotTarts: another dialer. Program Files\video1\dialers\hot_tarts_mc\hot_tarts_mc.exe seen.

Wink/ASWnk: not a dialler. Opens pop-up ads from fassia.net. Program file is ASWnk.exe in a Program Files folder called ‘primesoft\ASWnk’ (instead of the usual ‘dialers’).

Wink/nsdlua: not a dialler. Opens pop-up ads from (deep breath) 0-ol1oiz-xolxii1-oxli10ozl1l1-o-l-11-iizxp-l-0o-oll11iz0oil-ol.com. Program file is ‘dialers\nsdlua\nsdlua.exe’. This is known to be loaded as a fake pop-up-killer application (which claims it has failed to run), by stopannoyingpopups.com; exploitation of an IE security hole is suspected here.

Wink/mscnt: not a dialler. Program file is ‘mscnt.exe’, hidden in the Windows System[32] folder instead of Program Files.

Wink/dluca: not a dialler. Program file is ‘msinstall\dlu32\dluca\dluca.exe’, hidden in the Windows System[32] folder instead of Program Files.

Wink/dlux: not a dialler, backdoor process. At least dluxde.exe and dluxjp.exe have been seen, in Program Files\dialers\dluxde and Program Files\dialers\dluxjp.

Wink/infwin: not a dialler. Program file is ‘infwin.exe’, hidden in the Windows System[32] folder instead of Program Files.

Wink/win and Wink/win32: not a dialler. Program file depends on country; at least ‘winde.exe’, ‘win32us.exe’, ‘win32gb.exe’ have been seen, in the Windows System[32] folder.

What it does

Advertising

Yes, in many of the non-dialler variants, see above.

Privacy violation

No.

Security issues

Wink can download and execute arbitrary unsigned code from its controlling server at 204.177.92.204.

Stability issues

None known.

Removal

It also puts an entry in Add/Remove Programs to run a file ‘[variant name]_uninstall.exe’ in the Windows System folder, which doesn’t uninstall the software, but in dialler variants makes the software hide instead of showing itself at startup.

Manual removal

Wink can be spotted by opening the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and finding the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run; Wink variants have a characteristic run string ending in ‘/noconnect’. This entry should be deleted, along with the key HKEY_CURRENT_USER\Software\SiteIcons, and, in dialler variants, HKEY_CLASSES_ROOT\.WINK and HKEY_CLASSES_ROOT\WINK File.

If you use Netscape 4, dialler variants will also add themselves to the ‘User Trusted External Applications’ in HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator; its entries here should be deleted.

Then restart and delete the program file, which usually lives in a folder called ‘dialers’ in ‘C:\Program Files’, but see the variant information above.