Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


WINGUARD.EXE PROCESS INFORMATION

Process Name  : Winguard.exe

Process Path : C:\Winguard.exe

Process type    : Internet Worm

Malware Name :W32.SouthPark@mm

Alias             : I-Worm.SouthPark, W32/SouthPark@mm, W32/SouthPark-A

Threat level : Low

Process Details :

                     Winguard.exe is dropped by South Park worm. It is an Internet worm, uses Microsoft Outlook and other different techniques like copying "South Park.exe" to floppy drives and Mapped drives to spread. The worm is 19,968 bytes long and written in Visual Basic. It needs "MSVBVM50.dll" to spread otherwise it will show dll missing error. The e-mail attachment name will be "South Park.exe".

                     While opening the e-mail attachment, the worm will copy "South park.exe" to all mapped drives and it creates "winguard.exe", Windowsstart.dll", "Windowssystem.dll" and "s.bat" files in the C drive's root directory. The dll files contain the date and infection count information and the batch file will contain routines to make the Floppy disk bootable. The "winguard.exe" is stored as a Hidden System file.

                     Then it changes the registry settings so that the the "c:\winguard.exe" is automatically executed when the system is restarted. It creates a temporary file c:\v.reg to modify registry information and then deletes it. The registry modifcations are given below.

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run windll="c:\winguard.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run windll="c:\winguard.exe"

                     It opens the Microsoft Outlook Address book and sends email to all the email Ids stored. The message subject will be "Servus Alter!", the message body will be "Hier ist das Spiel, das du unbedingt wolltest! ;-)" and the attachment name will be "South Park.exe". The e-mail message is written in German language.

                     In case of floppy drive, the worm periodically checks "South Park.exe", if not found it runs "s.bat" to make the disk bootable and creates "Autoexec.bat". The floppy disk "Autoexec.bat" contains the following code

@echo off
copy South Park.exe C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\South Park.exe
cls
del autoexec.bat

                     Some times it failed to put the entire path. In case of other Mapped drives it checks for "South Park.exe" periodically, if not found it copies to the root directory.

                     The payload of this worm is somewhat different. It creates "Swapfile.vxd" in windows directory and fills with garbage "D" upto the entire hard disk. So the windows will show Hard disk full alert message.

                  Our Technical team has found that more attacking capablity is dormant in this virus and it could activate in different forms.

How can I protect my system?

                   Solo has incorporated Winguard.exe in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this worm?

                   If you are already infected with Winguard.exe process, you can remove it from your computer using Solo Antivirus software. Solo antivirus can detect and remove W32.SouthPark@mm safely. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link