Virus:BDS/Ginwui.A.4
Date discovered:22/05/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:73.245 Bytes
MD5 checksum:6d69ab10c2e8194465ab25cbfb96dae6
VDF version:6.34.01.120

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Backdoor.Ginwui.B
   •  Mcafee: BackDoor-CKB
   •  Kaspersky: Backdoor.Win32.Ginwui.a
   •  TrendMicro: BKDR_GINWUI.B
   •  Bitdefender: Backdoor.Ginwui.B


Platforms / OS:
   • Windows NT
   • Windows 2000
   • Windows XP


Side effects:
   • Drops malicious files
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %TEMPDIR%\20060426.bak



It deletes the initially executed copy of itself.



The following files are created:

%SYSDIR%\zsydll.dll Further investigation pointed out that this file is malware, too. Detected as: BDS/Ginwui.A.DLL

%SYSDIR%\zsyhide.dll Further investigation pointed out that this file is malware, too. Detected as: BDS/Ginwui.A

 Registry The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   zsydll]
   • DllName = %SYSDIR%\zsydll.dll
   • Shutdown = DoShutdown
   • Startup = DoStartup
   • Asynchronous = 1
   • Impersonate = 0



The following registry key is changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   New value:
   • AppInit_DLLs = %SYSDIR%\zsyhide.dll

 Backdoor Contact server:
The following:
   • http://scfzf.xi**********

As a result it may send information and remote control could be provided. Besides, it periodically repeats the connection.

 Injection –  It injects the following file into a process: %SYSDIR%\zsydll.dll

    Process name:
   • iexplore.exe


 File details Programming language:
 The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Andrei Gherman on Monday, May 22, 2006
Description updated by Andrei Gherman on Monday, May 22, 2006

Back . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

My Account

https:// This window is encrypted for your security.