My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Gimmiv.B

MEDIUM
MEDIUM
<300 KB

Symptoms

Increased network activity.
Computer slowdown.

Removal instructions:

Please let BitDefender disinfect your files and install the latest Windows updates.

Analyzed By

Octavian-Mihai Minea, Virus Researcher

Technical Description:

    The malware detected as Win32.Worm.Gimmiv.A drops in %system32%\wbem\ the following files:  basesvc.dll, winbase.dll, syicon.dll.

    The winbase.dll file is then registered as a service, and, after it's started up, it loads basesvc.dll and syicon.dll into the memory.
    After loading the mentioned DLLs, the worm starts collecting information from the infected system, such as the user name and password, the locally installed antivirus products and usernames and passwords from Outlook Express and MSN Messenger.
   
    Basesvc.dll is then using the MS08-067 exploit, a vulnerability of a Server service on Windows, and through various RPC requests attempts to replicate the worm onto the network machines.

    It uses the srvsvc pipe as an RPC interface, registered with the UUID: 4b324fc8-1670-01d3-1278-5a47bf6ee188 for remote code execution in order to be able to propagate and execute onto every vulnerable system.

    The most affected systems are those that run Windows 2000, Win XP, and Windows Server 2003 as operating systems, with the firewall disabled or with exceptions on the firewall for File and printer sharing.