-=PCTechTalk=- Gimmiv-A Trojan - Last week's critical update

• From: Gman <gman.pctt@xxxxxxxxx>
• To: "PCTechTalk Group <FreeLists>" <PCTechTalk@xxxxxxxxxxxxx>
• Date: Tue, 28 Oct 2008 13:04:08 -0400

The Trojan that's blocked by last week's emergency Windows Update is called 
Gimmiv-A.  If anyone is concerned whether they patched their system fast 
enough, here's the info on what it does.  Just looking to see if the 
sysmgr.dll file should be enough to ease your mind a bit.  Since the 
location given below is written in computer-speak, the translation for most 
system is "C:\WINDOWS\system32\wbem".  An exception to that would only 
happen if you installed Windows to somewhere other than the default 
C:\Windows location.

Since this Trojan hit, most malware fighting tools have likely been updated 
to include definitions for it and others that may be based on the concept. 
Make sure you have the latest available definitions for all of the 
anti-malware items you're running on your system, just to be safe.

If you have any questions about any of this, just give a yip.     :)


***********************
 Troj/Gimmiv-A is a Trojan for the Windows platform.

When Troj/Gimmiv-A is run, the following file is dropped:

<System>\wbem\sysmgr.dll

This file is also detected as Troj/Gimmiv-A

Troj/Gimmiv-A sets the following registry entries to link the dll with 
svchost.exe:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
sysmgr
sysmgr

HKLM\SYSTEM\CurrentControlSet\Services\sysmgr\Parameters
ServiceDll
<System>\wbem\sysmgr.dll

HKLM\SYSTEM\CurrentControlSet\Services\sysmgr\Parameters
ServiceMain
ServiceMainFunc

Troj/Gimmiv-A then also creates a service with the a Service Name of 
"sysmgr" and a Display Name of "System Maintenance Service" to run the 
dropped dll on startup by running "<Root>\System32\svchost.exe -k sysmgr".

The dll includes functionality to send information about the infected 
computer to a remote website, including information about what anti-virus 
product is being run.
***********************

Peace,
Gman

"The only dumb questions are the ones we fail to ask"

---------------------------------------------------------------
Please remember to trim your replies (including this sentence and everything 
below it) and adjust the subject line as necessary.

To unsubscribe or change your email settings:
http://www.freelists.org/webpage/pctechtalk

To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
http://www.freelists.org/archives/pctechtalk/

To contact only the PCTT Mod Squad, write to:
pctechtalk-moderators@xxxxxxxxxxxxx

To join the PCTableTalk off-topic group, send a blank email to:
pctabletalk+subscribe@xxxxxxxxxxxxxxxx
---------------------------------------------------------------

• Follow-Ups:
  • -=PCTechTalk=- Re: Gimmiv-A Trojan - Last week's critical update
    • From: Gman
  • -=PCTechTalk=- Re: Gimmiv-A Trojan - Last week's critical update
    • From: cristy

Other related posts:

• » -=PCTechTalk=- Gimmiv-A Trojan - Last week's critical update

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription