Increased network activity.
Please let BitDefender disinfect your files and install the latest Windows updates.
Octavian-Mihai Minea, Virus Researcher
The malware detected as Win32.Worm.Gimmiv.A
drops in %system32%\wbem\
the following files: basesvc.dll, winbase.dll, syicon.dll.
file is then registered as a service, and, after it's started up, it loads basesvc.dll and syicon.dll into the memory.
After loading the mentioned DLLs, the worm starts collecting information from the infected system, such as the user name and password, the locally installed antivirus products and usernames and passwords from Outlook Express and MSN Messenger.
Basesvc.dll is then using the MS08-067 exploit, a vulnerability of a Server service on Windows, and through various RPC requests attempts to replicate the worm onto the network machines.
It uses the srvsvc
pipe as an RPC interface, registered with the UUID: 4b324fc8-1670-01d3-1278-5a47bf6ee188
for remote code execution in order to be able to propagate and execute onto every vulnerable system.
The most affected systems are those that run Windows 2000, Win XP, and Windows Server 2003 as operating systems, with the firewall disabled or with exceptions on the firewall for File and printer sharing.