My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Backdoor.Ginwui.A

VERY LOW
MEDIUM
142848
(Backdoor.Win32.Ginwui.a, Tr/Spy.Delf.PV.26,Backdoor:Win32/Tagword.B, BDS/Gusi.A,Troj/Oscor-B, Bck/Gusi.A, BKDR_GINWUI.A)

Symptoms

Presence of the following files :
  • %SystemRoot%\\SYSTEM32\\WINGUIS.DLL - with size of 102400 bytes
  • %SystemRoot%\\SYSTEM32\\drivers\\DetPort.sys - with size of 0 bytes
  • %SystemRoot%\\SYSTEM32\\drivers\\RvdPort.sys - with size of 0 bytes
  • %SystemRoot%\\SYSTEM32\\drivers\\IsPubDrv.sys - with size of 0 bytes

Presence of the following entries in registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
  • AppInit_DLLs = %System%\Winguis.dll

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Dan Lutas, virus researcher

Technical Description:

    When first executed, the virus copies itself in the %TEMP% folder under the name 20060424.bak and deletes itself from the original folder (the folder where it was originally executed).

     It drops a file %SystemRoot%\\SYSTEM32\\WINGUIS.DLL, of 102400 bytes in lenght. This file represents the main backdoor component.

     It creates the Mutex Global\\GUI40ServiceStart to prevent from running multiple copies of itself.


     It registers itself with the SCM Manager as a service under the name Gui30Svr. It's rootkit functionalities (hooking EnumServicesStatusA and EnumServicesStatusW) prevent the service from being displayed when using ControlPanel->AdministrativeTools->Services.

 WINGUIS.DLL further creates the registry key
  • AppInit_DLLs = %System%\Winguis.dll
under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, forcing WINGUIS.DLL to be loaded in the address space of each newly created process.

    It hooks APIs related to process, services, files and registry keys enumeration in order to hide itself.

    Once started, it waits from commands from it's author. He is able to gather system information, start and kill processes, take screenshots (wich will be saved in the file %System%\Capture.bmp), start a remote command shell etc.