allentech.net

Home > Browser Parasites > Parasite Database > MagicControl

About Us

Online Stores

TQ Support

Web Services

Database Help

Tech Links

Projects

Online Manual

Browser Parasites

Privacy Policy

Contact us

Send Page

Limited Time!
Totally FREE Web Design!
Click here!

Blue Host

Parasite: MagicControl

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

MagicControl is a commercial trojan from dialler manufacturer Electronic Group (eGroup).

It seems to contain code aimed at avoiding personal firewall software installed on the local machine.

Variants

MagicControl/MC: versions 1.0.1.0 to 1.0.1.4, stored in a folder called ‘mc’ in the Windows folder.

MagicControl/Wintrim: versions 1.0.1.5 to 1.0.2.7; folder is now called ‘wintrim’.

MagicControl/Wincomp: version 1.0.2.8; folder is called ‘wincomp’.

MagicControl/Winmgts: version 1.0.2.9; folder is called ‘winmgts’.

Also known as

The Wintrim variant is detected as Persis by F-Secure anti-virus. The Wintrim and Wincomp variants are detected as TROJ_WINTRIM.A by Trend anti-virus.

Distribution

Installed by IEAccess/EGDial and possibly other diallers/loaders from eGroup.

What it does

Advertising

No

Privacy violation

Suspected. The software contacts its controlling servers at secure-firewall.com and nocreditcard.com and passes what seems to be a block of encrypted data, the contents of which are unknown.

Security issues

Yes. May silently download and execute arbitrary code from its controlling servers.

Stability problems

None known.

Removal

From Add/Remove Programs in the Control Panel, choose ‘mc’ (MC variant), ‘wintrim’ (Wintrim variant) or ‘wincomp’ (Wincomp variant). This uninstaller should work, though it requires internet access.

Manual removal

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands. For the MC variant:

cd "%WinDir%\System"
regsvr32 /u "..\mc\MagicControl.dll"

Or, for the Wintrim variant:

cd "%WinDir%\System"
regsvr32 /u "..\wintrim\MagicControl.dll"
regsvr32 /u "..\wintrim\EGPing.dll"

Or, for the Wincomp variant:

cd "%WinDir%\System"
regsvr32 /u "..\wincomp\2_wincomp.dll"
regsvr32 /u "..\wincomp\3_1,0,0,5_wincomp.dll"

Or, for the Winmgts variant:

cd "%WinDir%\System"
regsvr32 /u "..\wincomp\2_1,0,2,9_winmgts.dll"
regsvr32 /u "..\wincomp\3_1,0,0,6_winmgts.dll"

Next, open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’), and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the ‘cpntmgc’ entry.

Restart the computer and you should be able to delete the entire ‘mc’, ‘wintrim’ or ‘wincomp’ folder inside the Windows folder, and the ‘msegcompid.dll’ file from the System folder (inside the Windows folder; called ‘System32’ on Windows NT, 2000 and XP).

You can delete the ‘iexplore’ folder in Program Files, too (not ‘Internet Explorer’, which is the real IE program folder). Also check to see if you have IEAccess loaded and/or the eGroup certificate in your IE Trusted Publishers list.

Links

Trend Micro AV page on Wintrim

* Parasite information and detection script by Andrew Clover - www.doxdesk.com, used with permission.

For more information about Scumware, Spyware and Parasites, their sources and their cure, visit our About Parasites page and related Tech Links.

Visit our new services portal at Allen One for a completely new parasite database format, comming November 2005!

webmaster@allentech.net
Tech Bench
Web Analytics by My-OLAP!

Top