| Name | Win32.Gimmiv.a |
| Threat Level |  |
| Alias | Win32.Gimmiv.a, |
| Date | 26 October, 2008 |
| Type | Win32,Trojan |
| Damage | Theft of information,Other |
| Platform | Win 95,Win 98,Win ME,Win NT,Win 2K,Win XP |
| Analysis |
Win32.Gimmiv.A is a Trojan that steals information from the infected computer. It sends the gathered information to a predefined remote server. This Trojan exploits a 0-day Microsoft vulnerability called MS08-067.
Once executed, Win32.Gimmiv.A drops the following file:
SystemFolder\wbem\sysmgr.dll
and then injects it to svchost.exe.
It also creates the following registry entries so that it is installed as a service, to enable an automatic execution at every Windows startup:
HKLM\SYSTEM\CurrentControlSet\Services\sysmgr
HKLM\SYSTEM\CurrentControlSet\Services\sysmgr\Parameters\ServiceDll = "System\wbem\sysmgr.dll"
HKLM\SYSTEM\CurrentControlSet\Services\sysmgr\Parameters\ServiceMain = "ServiceMainFunc"
HKLM\SYSTEM\CurrentControlSet\Services\sysmgr\DisplayName = "System Maintenance Service"
HKLM\SYSTEM\CurrentControlSet\Services\sysmgr\ImagePath = "SystemRoot\System32\svchost.exe -k sysmgr"
This Trojan may delete itself after performing its data gathering routine.
eSafe users are protected against this threat using the latest security update.
eSafe Users
A new security update is available.
Update version: EV140-SV730
Update date: October 26, 2008
eSafe Users
Your product will be automatically updated.
You can also use the "Update now" option from within the product eConsole.
New Users
More information about eSafe Content Security Products as well as trial versions is available from here.
|
