As stated previously by Randy, a new vulnerability affecting the Windows operating system from Microsoft has recently been discovered and has been patched Yesterday by an out of cycle patch. This vulnerability has been exploited by attackers to install a trojan horse on victim computers. The name of this trojan is Gimmiv.A. This blog post will give more details on this malware that is the payload of the attack. For our readers who want more information on the MS08-067 vulnerability and potential exploits, we recommend consulting Microsoft's advisory. Exploit code has already been made public for this vulnerability but finding it is left as an exercise to the reader.
The threat labeled as Win32/Gimmiv.A is an executable that writes a DLL (sysmgr.dll) to disk. The executable registers the DLL as a system service with the name "System Maintenance Service". Before starting the newly created service, the Gimmiv.A executable launches a batch script that tries to kill Trend Micro's antivirus. This executable is easy to analyze since it doesn't include any obfuscation and has debugging messages as shown in the code snippet below:
call ds:RegCreateKeyExA
mov [ebp+call_result], eax
cmp [ebp+call_result], 0
jz short no_error_found
push offset aRegcreatekey_0 ; "RegCreateKeyEx() failed!n"
call debug_message
sysmgr.dll contains the main functionalities of this piece of malware. The first steps it takes are to verify that the infected system is connected to the internet by sending a ping to a google server. If an answer is received, the malware continues executing. Otherwise, the malware uninstalls and exits. When reporting to its home base, Gimmiv.A sends information on the version of the operating system it has infected and which antivirus is installed. This malware checks the system to identify the presence of the following antivirus products:
- Trend Micro
- Symantec
- BitDefender
- Rising
- Kaspersky
- Kingsoft
- Microsoft One Care
- Jiangmin
The main purpose of Gimmiv is to give access to an infected computer to the attacker, it also gathers a lot of information on the infected computer and sends them back to the attacker. The collected information includes:
- MSN Messenger username and password
- Outlook Express username and password
- Saved passwords in Internet Explorer
- Web Cookies with potential authentication tokens
- Any file wanted by the attacker
At the moment, we are not seeing a lot of activity from this malware. Its distribution point has already been taken offline. From the information we could gather on this threat, it seems like it was targeting users in Asia. This malware seems to be well programmed and could have been used by professionals but it is a bit too generic to indicate it was used in very precisely targeted attacks.
Pierre-Marc Bureau
Researcher