WGATray

XpPaul · June 15, 2006, 9:21am

With all the talk about WGATray.exe lately on the web, I search my machine and found the Advantage programs in the WINDOW/SYSTEM32 folder. When I boot my machine I’ve noticed that WGATray is being executed in the Task manager for a few seconds. What I’m surprised at, is that I don’t get any sort of message from the Personal Fire. Does anyone know why?

egemen · June 15, 2006, 9:31am

CPF will not show you any warning unless it detects internet connection request. So if WGATray.exe does not connect to the Internet, you wont see any messages. But there may be a case the that WGATray.exe uses svchost.exe to connect to the Internet(I am not sure). This is similar to the way background intelligent transfer service works. CPF will be updated tomorrow(friday) to detect such behaviors. But current version 2.1.1.1 wont detect this. BITS hijacking was a serious risk which has been fixed as of version 2.2.xxx. So after the update, you may see some alerts.

Hope this helps,

Egemen

XpPaul · June 19, 2006, 7:31am

Thanks for info, I will post my results after I upgrade.

XpPaul · June 23, 2006, 10:11pm

(B) The lastest updates did it. Like you suspected it uses svchost.exe. Even with secure host while booting not check off.

Thanks

m0ng0d · June 24, 2006, 12:06am

what’s the rumor with WGATray.exe ?

nvm… I think i found it [url]http://abcnews.go.com/Technology/wireStory?id=2050935[/url]

So, i gather everyone is denying this “phone home”?

egemen · June 24, 2006, 12:18am

Hi Paul,

This is a good news. This svchost.exe hijacking is much more serious issue than many people may think. I am quite sure that new trojans will use this functionality easily to phone home in the near future. Because you dont even have to apply any special bypassing technique. No memory infections!No DLL injections! No buffer overflows! Windows do ask “Where do you want to go today?”.
So trojans will tell Windows they want to go home as WGATray is doing.

Thank you for the feedback,

Egemen

egemen · June 24, 2006, 12:21am

Simple. It connects to the Internet and no firewall(except CPF, afaik) detects this attempt. For me, the technique used by WGATray.exe is the point what should be taken as seriously. A very affective leak point waiting to be exploited by malware.

V4V · June 24, 2006, 2:53am

Just FYI.
There is a wgatray.exe remover at:

It tells you if wgatray is active or not, and if yes, you can remove it, supposedly.
(I did not install wgatray on my machine, so I don’t know if it will work well or not.)

Melih · June 24, 2006, 7:08am

We are the only Firewall that protects agains this out of box!
nothing else comes even close!

Melih