About | Buy Stuff | News | Products | Rants | Search | Security | Social
Home » News » Roundups

Backdoor.Ginwui's Back

You men eat your dinner your pork 'n' beans
I eat more chicken than any man's ever seen
The men don't know but the little girls understand
 - W Dixon

Backdoor.Ginwui's back and with a vengeance, exploiting the same kind of dumb hole that put Microsoft on the exploit map in the first place - a piece of reckless technology that no one knows anything about, no one uses, and no one cares about - except the black hats.

And the black hats are once again taking off their black hats to Microsoft.

Phoning Home

The current incarnation of Backdoor.Ginwui, once dropped onto your super-secure Windows system by the ultra user friendly MS Word, will attempt to phone home. It reaches out to its mother ship at localhosts.3322.org.

Domain ID:D81041153-LROR
Domain Name:3322.ORG
Created On:11-Dec-2001 18:35:40 UTC
Last Updated On:27-Jan-2006 01:24:32 UTC
Expiration Date:11-Dec-2010 18:35:40 UTC
Sponsoring Registrar:OnlineNIC Inc. (R64-LROR)
Status:OK
Registrant ID:ONLC-615124-4
Registrant Name:Bentium Ltd.
Registrant Organization:Yaako Ltd.
Registrant Street1:1406, Yinyuan Building 37, West Guanhe Road
Registrant City:Changzhou
Registrant State/Province:JS
Registrant Postal Code:213002
Registrant Country:CN
Registrant Phone:+86.5196113322
Registrant FAX:+86.5196620244
Registrant Email:ppyy@staff.cn99.com
Admin ID:ONLC-615124-1
Admin Name:Yong, Peng
Admin Organization:Yaako Ltd.
Admin Street1:1406, Yinyuan Building 37, West Guanhe Road
Admin City:Changzhou
Admin State/Province:JS
Admin Postal Code:213002
Admin Country:CN
Admin Phone:+86.5196113322
Admin FAX:+86.5196620244
Admin Email:ppyy@staff.cn99.com
Tech ID:ONLC-615124-2
Tech Name:Yong, Peng
Tech Organization:Yaako Ltd.
Tech Street1:1406, Yinyuan Building 37, West Guanhe Road
Tech City:Changzhou
Tech State/Province:JS
Tech Postal Code:213002
Tech Country:CN
Tech Phone:+86.5196113322
Tech FAX:+86.5196620244
Tech Email:ppyy@staff.cn99.com
Name Server:NS2.3322.NET
Name Server:NS1.3322.NET

'cn99.com' is also registered to Bentium/Yaako; the vanity domain 'localhosts' is not currently online.

Droppings

Backdoor.Ginwui will drop the following files on your super-secure Windows system with Advanced Security Technologies™.

  • Winguis.dll gets dropped in your 'system' directory.
  • DetPort.sys, IsPubDRV.sys, and RVdPort.sys, get dropped in the drivers subdirectory to 'system'.

Because you are running Windows and not a real operating system, you cannot be protected from this.

Registry Shenanigans

Backdoor.Ginwui puts an 'init' in your Registry for Winguis.dll. Its location is given as the data for Registry value 'AppInit_DLLs' found in the key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows.

Because you are running Windows and not a real operating system, you cannot be protected from this.

Mutants

When initialised Winguis.dll creates the mutex GUI40ServiceStart.

Spelunking

Backdoor.Ginwui does a lot of spelunking on your system. It runs the gamut of your running processes, running services, peeks into your TCP stack, rummages around on your disk and in your Registry enumerating everything it can get its hands on - and worst of all it actually mucks about with your Registry contents.

Several of the APIs used are Microsoft internal (undocumented).

The Dropper

The dropper exploit itself - the code that makes Word do all these wonderful things - has been dubbed 'Trojan.Mdropper'.

Zero Day

This exploit is called 'zero day' because Microsoft didn't even know about it before it hit. What can otherwise happen is that the black hats study Microsoft security advisories and then rush to exploit the new holes before users have a chance to patch. In this case Microsoft were again caught with their knickers down.

What Can I Do?

You can do several things to protect yourself.

  1. Disconnect from the Internet. Now.
  2. Check your file system and your Registry for the above intrusions - and if found, remove them.
  3. Get a copy of OpenOffice to replace Microsoft's junkheap MS Office.
  4. Either install Ubuntu or get a Mac (but not one of their laptops). You're safer with a Mac but you're even safer with Ubuntu - and it won't cost you a penny either: Mark Shuttleworth will ship your Ubuntu CDs (up to five sets at a time) to your door for free.

About | Buy Stuff | News | Products | Rants | Search | Security | Social
Copyright © Radsoft. All rights reserved.