Backdoor.Ginwui.A( Backdoor.Win32.Ginwui.a, Tr/Spy.Delf.PV.26,Backdoor:Win32/Tagword.B, BDS/Gusi.A,Troj/Oscor-B, Bck/Gusi.A, BKDR_GINWUI.A )
SYMPTOMS: Presence of the following files :
Presence of the following entries in registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
TECHNICAL DESCRIPTION: When first executed, the virus copies itself in the %TEMP% folder under the name 20060424.bak and deletes itself from the original folder (the folder where it was originally executed).It drops a file %SystemRoot%\\SYSTEM32\\WINGUIS.DLL, of 102400 bytes in lenght. This file represents the main backdoor component. It creates the Mutex Global\\GUI40ServiceStart to prevent from running multiple copies of itself. It registers itself with the SCM Manager as a service under the name Gui30Svr. It's rootkit functionalities (hooking EnumServicesStatusA and EnumServicesStatusW) prevent the service from being displayed when using ControlPanel->AdministrativeTools->Services. WINGUIS.DLL further creates the registry key
It hooks APIs related to process, services, files and registry keys enumeration in order to hide itself. Once started, it waits from commands from it's author. He is able to gather system information, start and kill processes, take screenshots (wich will be saved in the file %System%\Capture.bmp), start a remote command shell etc. Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: Dan Lutas, virus researcher |
