WinGate and W32.Sobig (was Re: [unisog] Spammers compromising systems)

Brian Reilly reillyb at
Fri Mar 7 19:34:45 GMT 2003

After collecting some useful forensic information from a compromised
machine running a WinGate proxy, I've confirmed that WinGate was installed
as part of the payload of the W32.Sobig worm.  A few of the analyses of
W32.Sobig mentioned that it attempted to download a file, but did not
specifically mention WinGate.

Upon being infected with W32.Sobig, the host will open an Internet
Explorer connection to, which
contains the URL for the trojan program to be installed; the host then
connects to that URL and downloads and executes the referenced file.  
Until at least 2/21/03 13:48 EST, reteral.txt pointed to a WinGate
installer in a user account on

The URL in reteral.txt is currently "" --
which I haven't been able to resolve or uncover accurate WHOIS

So are spammers behind the spread of W32.Sobig and WinGate, or are they
just scavenging the compromised hosts?  I have no idea.  If you'd like to
compare notes on the spread and abuse of these WinGate proxies, drop me a
message offline.


Brian Reilly, CISSP
University Network Security Officer
Georgetown University Information Services
<reillyb at>
+1 202.687.2775

On Thu, 6 Feb 2003, E. Larry Lidz wrote:

> We've seen a couple of machines in the last couple of days which were
> compromised by intruders and which have had a program called WinGate
> installed on it. Part of WinGate appears to be an SMTP agent which the
> intruders use to send spam through the system.
> I don't recall us ever having seen spammers actually break into
> systems before. It doesn't come as a major surprise, but I thought I'd
> mention it as I suspect it to become as common place as intruders
> breaking into machines to set up sites to distribute copyrighted
> materials.
> -Larry
> ---
> E. Larry Lidz                                        Phone: +1 773 702-2208
> Sr. Network Security Officer                         Fax:   +1 773 834-8444
> Network Security Center, The University of Chicago
> PGP:

More information about the unisog mailing list