Threat Description

Trojan-Spy:​W32/Gimmiv.A

Details

Aliases:Trojan-Spy.Win32.Gimmiv.A
Category:Malware
Type:Trojan-Spy
Platform:W32

Summary



This type of trojan secretly installs spy programs and/or keylogger programs.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



This trojan-spy takes advantage of a critical vulnerability to harvest sensitive, personal information from an infected machine. The information is then forwarded to a remote server for further, malicious use.

Installation

This trojan is reportedly installed on a Windows system by exploiting a critical vulnerability in the server service, which involves improper handling of specially crafted remote procedure call (RPC) requests. Successfully exploiting this vulnerability may provide an attacker complete control of an infected system. Further details of the vulnerability are available in the Microsoft Security Bulletin MS08-067.

Execution

On execution, the trojan-spy drops a DLL component, which is also detected as Trojan-Spy:W32/Gimmiv.A, as:

  • [System Folder]\wbem\sysmgr.dll

The DLL is injected into svchost.exe. The main executable file will then delete itself.As part of its routine for connecting to a remote server, the trojan will take into account both the operating system version and the presence of any security applications in the system. The trojan checks for the following antivirus programs:

  • BitDefender
  • avp.exe
  • Jiangmin
  • KasperskyLab
  • Kingsoft
  • Symantec
  • OneCare Protection
  • Rising
  • TrendMicro
  • dwm.exe

The trojan then attempts to connect to:

  • http://59.106.145.58/[...].php?abc=1?def=2

The two parameters 'abc=' and 'def=' are determined by the antivirus program and the operating system version, respectively. For example, if avp.exe is installed on an infected machine that runs Windows XP, then abc=1 and def=2. The trojan then harvests the following information from the infected machine:

  • MSN Credentials
  • Outlook Express Credentials
  • Protected Storage Information
  • Username
  • ComputerName
  • Patches Installed
  • Browser Information
  • Username (web browsing)
  • Password
  • URL

The harvested information is encrypted using Advanced Encryption Standard (AES) and is sent to the remote server.

Registry Modifications

The DLL component is registered as a service by adding registry entries.

Registry Modifications

Creates these keys:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr DisplayName = System Maintenance Service ErrorControl = 0 ImagePath = [System Folder]\svchost.exe -k sysmgr ObjectName = LocalSystem Start = 0x00000002(2) type = 0x00000110(272)





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More