Win32.Worm.Gimmiv.A

( TSPY_GIMMIV.A, Troj/Gimmiv-A, W32/NetAPI32.RPC!exploit.M20084250, Trojan-Spy:W32/Gimmiv.A )

SYMPTOMS:

Increase network activity.
Computer slowdown.

TECHNICAL DESCRIPTION:

    Once executed, the malware drops a dll file called sysmgr.dll in %systemDirectory%\wbem\ called sysmgr.dll. It also drops a temporary .bat file and executes it in order to delete the dropper.

    Sysmgr.dll is registered as a service, and in order to ensure that it initializes at every system start-up the dll the following registry keys are created:
HKLM\System\CurrentControlSet\Services\sysmgr
HKLM\SYSTEM\CurrentControlSet\Services\sysmgr\Parameters\ServiceDll = "%System%\wbem\sysmgr.dll"
HKLM\SYSTEM\CurrentControlSet\Services\sysmgr\Parameters\ServiceMain = "ServiceMainFunc"
HKLM\SYSTEM\CurrentControlSet\Services\sysmgr\DisplayName = "System Maintenance Service"
HKLM\SYSTEM\CurrentControlSet\Services\sysmgr\ImagePath = "%SystemRoot%\System32\svchost.exe -k sysmgr"

    The service checks if the following registry entries exist:
HKLM\SOFTWARE\BitDefender
HKLM\SOFTWARE\KasperskyLab
HKLM\SOFTWARE\Kingsoft
HKLM\SOFTWARE\Symantec
HKLM\SOFTWARE\Microsoft\OneCare Protection
HKLM\SOFTWARE\TrendMicro

    Sysmgr.dll tries to update itself by accessing the following IP: 59.106.145.**;
    It also checks the availability of the following IPs using the IcmpSendEcho API.:
            212.227.93.**
            64.233.189.**
            202.108.22.**
    
    Then it collects different pieces of information from the system such as:
-         User’s username and password;
-         installed programs on the system;
-         usernames and passwords from Outlook Express and MSN Messenger
    These pieces of information are sent to an IP address.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

marius barat, virus researcher