Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


WINPRC.EXE PROCESS INFORMATION

Process Name  : winrpc.exe

Process Path : %SYSTEM%\winrpc.exe [ C:\Windows\System32\winrpc.exe ]

Process type    : Internet Worm

Malware Name : W32.Lovegate.C@mm

Alias             : I-Worm/Lovegate, I-Worm.Supnot.a, WORM_LOVGATE.C

Threat level : Medium

Process Details

                     Winrpc.exe is dropped by Lovegate.C worm. It is a modified variant of Lovegate worm, uses e-mail addresses collected from *.ht* files to send infected messages. It also copies to shared network drives and drops backdoor programs in the infected system.

                     When the infected attachment is executed, the worm copies itself to Windows system folder as 

rpcsrv.exe,
syshelp.exe,
WinGate.exe,
winprc.exe
WinRpcsrv.exe

                     Lovegate worm creates new keys in the registry Run section to load automatically. It also modifies the registry to load whenever a text file is opened.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
syshelp=%SYSTEM%\syshelp.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WinGate initialize=%SYSTEM%\WinGate.exe -remoteshell

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Module Call initialize=%SYSTEM%\RUNDLL32.EXE reg.dll ondll_reg

HKEY_CLASS_ROOT\txtfile\shell\open\command
winrpc.exe %1

                     In case of Win9x systems, it modifies win.ini file and adds the entry run=rpcsrv.exe. The worm tries to copy itself to the shared folders connected on the network in any of the following names

Card.EXE 
billgt.exe
docs.exe 
fun.exe 
hamster.exe 
humor.exe 
images.exe 
joke.exe 
midsong.exe 
news_doc.exe 
pics.exe 
PsPGame.exe 
s3msong.exe 
searchURL.exe 
SETUP.EXE

                     Lovegate worm uses its own SMTP engine to send infected messages. The worm spreads via e-mail in two ways. 

1. It can send a new infected message with the subject and message body taken from the worm.

2. It can reply the mails found in the inbox using MAPI functions with the following text "I'll try to reply as soon as possible. Take a look to the attachment and send me your opinion!"

                     Lovegate worm drops backdoor programs in the infected system. It can be used by hackers to steal your data. You can use Solo trial version to remove the worm from your system.

How can I protect my system?

                   Solo has incorporated winrpc.exe in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this worm?

                   Solo antivirus can detect and remove winrpc.exe and its variants safely. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link