Home / malware Win32.Worm.Gimmiv.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Worm.Gimmiv.A is also known as TSPY_GIMMIV.A, Troj/Gimmiv-A, W32/NetAPI32.RPC!exploit.M20084250, Trojan-Spy:W32/Gimmiv.A.
Explanation :
Once executed, the malware drops a dll file called sysmgr.dll in %systemDirectory%wbem called sysmgr.dll. It also drops a temporary .bat file and executes it in order to delete the dropper.
Sysmgr.dll is registered as a service, and in order to ensure that it initializes at every system start-up the dll the following registry keys are created:
HKLMSystemCurrentControlSetServicessysmgr
HKLMSYSTEMCurrentControlSetServicessysmgrParametersServiceDll = "%System%wbemsysmgr.dll"
HKLMSYSTEMCurrentControlSetServicessysmgrParametersServiceMain = "ServiceMainFunc"
HKLMSYSTEMCurrentControlSetServicessysmgrDisplayName = "System Maintenance Service"
HKLMSYSTEMCurrentControlSetServicessysmgrImagePath = "%SystemRoot%System32svchost.exe -k sysmgr"
The service checks if the following registry entries exist:
HKLMSOFTWAREBitDefender
HKLMSOFTWAREKasperskyLab
HKLMSOFTWAREKingsoft
HKLMSOFTWARESymantec
HKLMSOFTWAREMicrosoftOneCare Protection
HKLMSOFTWARETrendMicro
Sysmgr.dll tries to update itself by accessing the following IP: 59.106.145.**;
It also checks the availability of the following IPs using the IcmpSendEcho API.:
212.227.93.**
64.233.189.**
202.108.22.**
Then it collects different pieces of information from the system such as:
- User’s username and password;
- installed programs on the system;
- usernames and passwords from Outlook Express and MSN Messenger
These pieces of information are sent to an IP address.Last update 21 November 2011
