WINSIT.EXE, Prevx

Associated Malware Groups

The filename is associated with the malware groups:

Cloaked Malware
Malware Dropper
Malicious Software
Worm

File Behavior

WINSIT.EXE has been seen to perform the following behavior:

Executes a Process
This process creates other processes on disk
Registers a Dynamic Link Library File
Adds a Registry Key (RUN) to auto start Programs on system start up
This Process Deletes Other Processes From Disk
Looks at the contents of the autoexec.bat file
Reads email address and phone book details
Disables Access to the Windows Registry Editior
Disables Access to the Task Manager built into Windows
Modifies Windows Security Policies to restrict/expand User Privileges on the machine
Adds products to the system registry
Automatically changes your firewall settings to allow itself or other programs to communicate over the internet
Writes to another Process's Virtual Memory (Process Hijacking)
Modifies Windows Initialization And System Settings Used On Start up
Disables the built in Windows File Protection System
Executes Processes stored in Temporary Folders
The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
Can communicate with other computer systems using HTTP protocols
Modifies firewall settings, without user permission so it is not blocked from accessing the Internet
Disables safe mode on your PC
Injects code into other processes
Performs DNS look ups to resolve URL IP addresses
Creates a new Background Service on the machine
The Process is packed and/or encrypted using a software packing process
The Process is polymorphic and can change its structure
Found on infected systems and resists interrogation by security products
Uses rootkit techniques to conceal its presence, interrogation or removal

WINSIT.EXE has been the subject of the following behavior:

Executed as a Process
Created as a process on disk
Added as a Registry auto start to load Program on Boot up
Terminated as a Process
Deleted as a process from disk
Created by processes which appear to be checking for interception by security products
Has code inserted into its Virtual Memory space by other programs

Country Of Origin

The filename WINSIT.EXE was first seen on May 25 2007 in the following geographical regions of the Webroot community:

The United States on May 25 2007
Korea, Republic of on May 25 2007
South Africa on Jul 28 2007
Taiwan on Aug 14 2007
Spain on Aug 14 2007
Thailand on Sep 21 2007
Singapore on May 7 2008
Malaysia on May 7 2008
India on Dec 4 2009
The United Kingdom on Dec 4 2009
The United Arab Emirates on Jul 27 2010

File Name Aliases

WINSIT.EXE can also use the following file names:

SVIQ.EXE
PHOTOS.EXE
KODAI.EXE
WIN.EXE
SIVAJIOLD.EXE
PORTABLE ANTIVIRUS.EXE
BFD-ROLE PLAY.EXE
COMEDY WITH THE BOTAK.EXE
ANNEX.EXE
FINAL.EXE
LSM- PROJECT.EXE
CAV.EXE
INDIAN CULTURAL ASSOCIATION.EXE
MISCELLANEOUS.EXE
RAY CHARLES4563.EXE
REAL DEAL.EXE
POWERPOINT PROJECT.EXE
MICROSOFT EXCEL.EXE
MICROSOFT WORD.EXE
MICROSOFT ACCESS.EXE
OFA.EXE
UNLIMITED POWER.EXE
LESSONS IN MASTERY DISC 6 DISC 6.EXE
LESSONS IN MASTERY DISC 5.EXE
LESSONS IN MASTERY DISC 4 DISC 4.EXE
LESSONS IN MASTERY DISC 3.EXE
LESSONS IN MASTERY DISC 2.EXE
LESSONS IN MASTERY DISC 1.EXE
ANTHONY ROBBINS.EXE
GET ANYONE TO DO ANYTHING.EXE
EMOTIONAL ALCHEMY.EXE
NLP MANUALS.EXE
LECTURES-STUDY.EXE
UNLIMITED SUCCESS GROUP.EXE
RECORDED TRACKS.EXE
BOOK.EXE
LANGKAWI.EXE
IMPORTANT DOCUMENTS.EXE
SUZANNA.EXE
NADIGAN.EXE
SANGEETHA.EXE
MUNA.EXE
RECYCLER.EXE
SEQUENCING TRACKS.EXE
LLA.EXE
PROGRAMME.EXE
VIDEO CLIPS.EXE
PLAYLISTS.EXE
MUSIC.EXE
IMAGES.EXE
KAVIND - DO NOT DELETE.EXE
PICTURE.EXE
RINGTONES.EXE
VIDEODJ.EXE
PODCAST.EXE
CANONMSC.EXE
MAPS.EXE
ART.EXE
CARS.EXE
ASR.EXE
AUDIOBOOKS.EXE
AUSTRALIA.EXE
BIN.EXE
CONTACTS.EXE
CUSTOMVOICE.EXE
DEMO.EXE
EPHEM.EXE
FLEETECD.EXE
GNS.EXE
FLAGS.EXE
HELPME.EXE
MEDICAL.EXE
CAR.EXE
TRAFFICRULES.EXE
TRAVELINFO.EXE
HOME IMAGES.EXE
ITN.EXE
LICENCES.EXE
LOGGING.EXE
ENGLISHGB.EXE
KATE.EXE
SIMON.EXE
ENGLISHTE.EXE
LIB.EXE
LOQUENDOTTS.EXE
DOWNLOAD.EXE
MICROBROWSER.EXE
RESOURCE.EXE
PHONE_DATABASE.EXE
PROGRAM.EXE
RASTER.EXE
SCHEMES.EXE
KELAS.EXE
FOLDER SETTINGS.EXE
ASSIGNMENT- POWERPOINT.EXE
SYAM.EXE
LAIN2.EXE
KKBI.EXE
SHORT ASSIGNMENT.EXE
SEM 2.EXE
SEM 3.EXE
SEM I 2006.EXE
AKIDAH.EXE
SIRAH.EXE
SEM II 2007.EXE
SURF.EXE
SEM III 2007.EXE
ARAK_FILES.EXE
MENCURI_FILES.EXE
HOME_FILES.EXE
HUKUMAN_FILES.EXE
TUJUAN_FILES.EXE
PEMBUNUHAN_FILES.EXE
ZINA_FILES.EXE
LIWAT_FILES.EXE
QAZAF_FILES.EXE
QISAS.EXE
DEFORESTATION_FILES.EXE
EFFECTS_OF_WORLD_WAR_II_FILES.EXE
POLLUTION - WIKIPEDIA, THE FREE ENCYCLOPEDIA_FILES.EXE
SPORT - WIKIPEDIA, THE FREE ENCYCLOPEDIA_FILES.EXE
SUSTAINABLE_DEVELOPMENT_FILES.EXE
WAR_FILES.EXE
SUMBER.EXE
WILDLIFE_FILES.EXE
ENVIRONMENTALISM_FILES.EXE
ECOLOGY_FILES.EXE
NATURAL_HISTORY_FILES.EXE
NATURE_FILES.EXE
NATURAL_ENVIRONMENT_FILES.EXE
ENVIRONMENT.EXE
KKP PROF AKU.EXE
KKP BI.EXE
PROFICIENCY.EXE
TMK.EXE
AG(T).EXE
OTHER.EXE
FUN.EXE
RECYCLED.EXE
PAQ.EXE
PJPK_SEM2.EXE
PING PONG SEM3.EXE
GERKO PING PONG.EXE
GERKO TENIS '07.EXE
KKBI KS '07.EXE
KKBI INDIVIDU KS.EXE
MALAYAN_UNION_FILES.EXE
NASIONALISME_FILES.EXE
KKBI KUMP KS.EXE
KKBI KS.EXE
PPISMP.EXE
KKP FALSAFAH.EXE
KENA WAT FAIL BIG PLAK DAH.EXE
BIG SEM 1 (30 APR - 3 MEI 2008).EXE
KAJIAN LAPANGAN DI SKHAS (02.03.2008).EXE
GAMBAQ AMIR.EXE
KKP PKK.EXE
PKK.EXE
SENARAI NAMA KELAS.EXE
TAMADUN ISLAM.EXE
PEDAGOGI P.ISLAM.EXE
TEORI_PEMBELAJARAN_DAN_PENGAJARAN_FILES.EXE
PEDAGOGI_INTERNET.EXE
PEDAGOGI.EXE
RUJUKAN.EXE
SEM 1.EXE
PISMP.EXE
KONTRAK-SOSIAL-DAN-PERLEMBAGAAN-MALAYSIA_FILES.EXE
垃圾.EXE
LLS資料夾.EXE
隔代教養.EXE
現代婦女.EXE
性別生活學.EXE
專題製作.EXE
護理專案.EXE
呼吸衰竭.EXE
器官捐贈.EXE
老人體驗營相片1000428.EXE
親職教育報告.EXE
管教探討.EXE
護理研究.EXE
BMW.EXE
DCIM.EXE
SYSTEM.EXE
APPS.EXE
BF821295-D0D5-44B1-9DE9-527EBAA25A41.EXE
DATA.EXE
EXEC.EXE
AC100F40-945A-4164-993C-603E0FFD1D48.EXE
F341CFFF-7836-4016-A7D6-E203E64100C7.EXE
MISC.EXE
ABOUTUS_FILES.EXE
另類療法.EXE
民主憲政.EXE
生統.EXE
KKP.EXE
BM TERAS.EXE
BM.EXE
KS.EXE
KB.EXE
KE.EXE
PJ.EXE
PP.EXE
DC.EXE
BA.EXE
PA.EXE
M3.EXE
DG3.EXE
DG4.EXE
DG5.EXE
S-10-13-44-55-18374839393-33.EXE
S-10-13-44-55-18374839393-34.EXE
S-5-3-42-2819952290-8240758988-879315005-3665.EXE
MP3.EXE
S-1-5-21-1482476501-1644491937-682003330-1013.EXE
老護.EXE
實習.EXE
成護.EXE
兒科.EXE
中醫.EXE

Filesizes

The following file size has been seen:

57,344 bytes
151,552 bytes
143,360 bytes
131,072 bytes
114,688 bytes
196,608 bytes
65,536 bytes

File Type

The filename WINSIT.EXE refers to many versions of an executable program.

File Activity

One or more files with the name WINSIT.EXE creates, deletes, copies or moves the following files and folders:

Creates c:\windows\system\Fun.exe
Creates c:\windows\dc.exe
Creates c:\windows\SVIQ.EXE
Creates c:\windows\inf\Other.exe
Creates c:\windows\system32\WinSit.exe
Creates c:\windows\system32\config\Win.exe
Creates c:\windows\help\Other.exe
Opens/modifes c:\autoexec.bat
Deletes c:\docume~1\user\locals~1\temp\2C.tmp

Website Activity

One or more files with the name WINSIT.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

TCP:127.0.0.1:1070 Port:19
Port 80 IP:192.0.2.0

Help the Webroot Community to fight cyber crime

We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.

The filename referred to in this report is often associated with PC infections. If you have a program of this name on your PC and would like to help our research please tell us what you know in the form below:

I have this file on my PC and believe it is an infection
I have this file on my PC and think it has made my PC slower
My firewall asked if I wanted to let this file have access to the Internet
My PC will not work since I noticed this file on it
My antivirus detected this file but won't remove it
I know what this file is and believe it is a Safe program
I am the author of this file and would like to discuss how to have it reclassified as safe

Further Comments or information you'd like to share: (optional)

Your email address if you would like us to contact you about this file and any concerns you may have: (optional)

PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.

WINSIT.EXE

Free PC Cleanup from Webroot