Class Trojan-Dropper
Platform Win32

Technical Details

Checkin is a “downloader” trojan that downloads a given file from a certain site and runs it. The trojan itself is a Windows PE EXE file, written in MS Visual C++.

The trojan file sizes are of the following approximate sizes:

“Checkin.a”: 50Kb
“Checkin.b”: 45Kb

The trojan EXE file does not copy itself to any directory but creates a system registry auto-run key:


  SysReg = %SystemDir%SysReg


  OWMngr = %SystemDir%OWMngr.exe

It seems that the trojan program should be completed by an “installator” that performs all steps for installing the trojan program into the system.

The trojan program also creates more registry keys:

 HKCUSoftwareIExplore   Ads

It uses these keys for its ‘internal’ needs.

Checkin then becomes an active process (this process is visible in the task list), downloads a file from a Web site, stores it on the hard disk using the name update.exe and executes this file.

The Web site name and remote file URL can vary. The Checkin trojan downloads this information from another Web site:


At these locations the trojan uses the “” file.

Find out the statistics of the threats spreading in your region