Gman, Are you saying that if I do a search on my computer for "wbem" and find it that I have a worm? Christine ----- Original Message ----- From: "Gman" <gman.pctt@xxxxxxxxx> To: "PCTechTalk Group <FreeLists>" <PCTechTalk@xxxxxxxxxxxxx> Sent: Tuesday, October 28, 2008 1:04 PM Subject: -=PCTechTalk=- Gimmiv-A Trojan - Last week's critical update The Trojan that's blocked by last week's emergency Windows Update is called Gimmiv-A. If anyone is concerned whether they patched their system fast enough, here's the info on what it does. Just looking to see if the sysmgr.dll file should be enough to ease your mind a bit. Since the location given below is written in computer-speak, the translation for most system is "C:\WINDOWS\system32\wbem". An exception to that would only happen if you installed Windows to somewhere other than the default C:\Windows location. Since this Trojan hit, most malware fighting tools have likely been updated to include definitions for it and others that may be based on the concept. Make sure you have the latest available definitions for all of the anti-malware items you're running on your system, just to be safe. If you have any questions about any of this, just give a yip. :) *********************** Troj/Gimmiv-A is a Trojan for the Windows platform. When Troj/Gimmiv-A is run, the following file is dropped: <System>\wbem\sysmgr.dll This file is also detected as Troj/Gimmiv-A Troj/Gimmiv-A sets the following registry entries to link the dll with svchost.exe: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost sysmgr sysmgr HKLM\SYSTEM\CurrentControlSet\Services\sysmgr\Parameters ServiceDll <System>\wbem\sysmgr.dll HKLM\SYSTEM\CurrentControlSet\Services\sysmgr\Parameters ServiceMain ServiceMainFunc Troj/Gimmiv-A then also creates a service with the a Service Name of "sysmgr" and a Display Name of "System Maintenance Service" to run the dropped dll on startup by running "<Root>\System32\svchost.exe -k sysmgr". The dll includes functionality to send information about the infected computer to a remote website, including information about what anti-virus product is being run. *********************** Peace, Gman "The only dumb questions are the ones we fail to ask" --------------------------------------------------------------- Please remember to trim your replies (including this sentence and everything below it) and adjust the subject line as necessary. To unsubscribe or change your email settings: http://www.freelists.org/webpage/pctechtalk To access our Archives: http://groups.yahoo.com/group/PCTechTalk/messages/ http://www.freelists.org/archives/pctechtalk/ To contact only the PCTT Mod Squad, write to: pctechtalk-moderators@xxxxxxxxxxxxx To join the PCTableTalk off-topic group, send a blank email to: pctabletalk+subscribe@xxxxxxxxxxxxxxxx --------------------------------------------------------------- --------------------------------------------------------------- Please remember to trim your replies (including this sentence and everything below it) and adjust the subject line as necessary. To unsubscribe or change your email settings: http://www.freelists.org/webpage/pctechtalk To access our Archives: http://groups.yahoo.com/group/PCTechTalk/messages/ http://www.freelists.org/archives/pctechtalk/ To contact only the PCTT Mod Squad, write to: pctechtalk-moderators@xxxxxxxxxxxxx To join the PCTableTalk off-topic group, send a blank email to: pctabletalk+subscribe@xxxxxxxxxxxxxxxx ---------------------------------------------------------------