Win32/Spy.Gimmiv [Threat Name] go to Threat

Win32/Spy.Gimmiv.A [Threat Variant Name]

Category trojan
Size 397312 B
Detection created Oct 24, 2008
Detection database version 3553
Aliases Trojan-Spy.Win32.Gimmiv.a (Kaspersky)
  Trojan.Gimmiv.A (Symantec)
  Spy-Agent.da (McAfee)
Short description

Win32/Spy.Gimmiv.A is a trojan that steals passwords and other sensitive information. The trojan can send the information to a remote machine. It connects to remote machines and tries to exploit the Microsoft Windows Server Service Remote Code Execution Vulnerability .

Installation

When executed the trojan drops in folder %system%\wbem the following file:

  • sysmgr.dll (336384 B)

The following file is dropped into the %temp% folder:

  • %variable%.bat

A string with variable content is used instead of %variable% .


The trojan registers itself as a system service using the following name:

  • System Maintenance Service

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­sysmgr\­Parameters]
    • "ServiceDll" = "%system%\­wbem\­sysmgr.dll"
    • "ServiceMain" = "ServiceMainFunc"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SvcHost]
    • "sysmgr" = "sysmgr"
Information stealing

Win32/Spy.Gimmiv.A is a trojan that steals sensitive information.


The following information is collected:

  • user name
  • computer name
  • network adapter information
  • Outlook Express account data
  • Windows Protected Storage passwords and credentials
  • installed program components under [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID] Registry subkeys
  • installed Microsoft Windows patches
  • operating system version
  • antivirus software detected on the affected machine

The trojan can send the information to a remote machine.


The trojan contains a list of (1) URLs.


The HTTP protocol is used.


It tries to download a file from the address.


The file is run-time compressed using CAB (Microsoft Cabinet) .


The file is stored into the following folder:

  • %system%

The following filename is used:

  • inetproc02x.cab

The archive contains the following files:

  • basesvc.dll
  • syicon.dll
  • winbase.dll
  • install.bat
  • winbaseinst.exe

The trojan copies the files into the following folder:

  • %system%\­wbem\­

The trojan runs the following processes:

  • %system%\­wbem\­install.bat

The trojan registers itself as a system service using the following name:

  • Windows NT Baseline

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­BaseSvc\­Parameters]
    • "ServiceDll" = "%system%\­wbem\­winbase.dll"
    • "ServiceMain" = "ServiceMainFunc"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SvcHost]
    • "BaseSvc" = "BaseSvc"
Spreading

The trojan generates various IP addresses.


It connects to remote machines to port TCP 139, 445 in attempt to exploit the Microsoft Windows Server vulnerability.


This vulnerability is described in Microsoft Security Bulletin MS08-067 .


If successful, the remote computer may attempt to download the copy of the trojan from the Internet.

Other information

The trojan may create copies of the following files (source, destination):

  • %system%\­cmd.exe, %temp%\­cmd.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.