|
Description:
To get a one-glance comprehensive view of the behavior of this backdoor, refer to the Behavior Diagram shown below.
Malware Overview
This backdoor arrives on a system as a file dropped by another malware that Trend Micro detects as W97M_MDROPPER.AC.
When executed, it drops a copy of itself as WINCFGS.EXE in the Windows system folder. It also
drops the files ZSYHIDE.DLL and ZSYDLL.DLL in the said folder. This backdoor injects the said .DLL files, which are also detected as BKDR_GINWUI.B, into running processes to ensure memory residency and to hide its process, hence avoiding easy detection.
Notably, it injects ZSYDLL.DLL into the Internet Explorer process. The said action causes the Internet Explorer to crash.
This backdoor also drops the file 20060426.BAK, which it executes once detecting Internet connection, in the local user's Temp folder. Trend Micro also detects the said file as BKDR_GINWUI.B.
Using TCP port 80, it attempts to access a remote server in scfzf.{BLOCKED}cp.net via Hyper Text Transfer Protocol (HTTP). It then listens for commands coming from a remote malicious user. It executes these commands locally on an infected system, providing the remote user virtual control over the system. The said routine compromises system security.
For additional information about this threat, see:
Solution
Technical Details
Description created: May. 19, 2006 4:29:14 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
