| About | Buy Stuff | News | Products | Rants | Search | Security | |
Home » News » Roundups
Backdoor.Ginwui's BackYou men eat your dinner your pork 'n' beans Backdoor.Ginwui's back and with a vengeance, exploiting the same kind of dumb hole that put Microsoft on the exploit map in the first place - a piece of reckless technology that no one knows anything about, no one uses, and no one cares about - except the black hats. And the black hats are once again taking off their black hats to Microsoft. Phoning HomeThe current incarnation of Backdoor.Ginwui, once dropped onto your super-secure Windows system by the ultra user friendly MS Word, will attempt to phone home. It reaches out to its mother ship at localhosts.3322.org. Domain ID:D81041153-LROR Domain Name:3322.ORG Created On:11-Dec-2001 18:35:40 UTC Last Updated On:27-Jan-2006 01:24:32 UTC Expiration Date:11-Dec-2010 18:35:40 UTC Sponsoring Registrar:OnlineNIC Inc. (R64-LROR) Status:OK Registrant ID:ONLC-615124-4 Registrant Name:Bentium Ltd. Registrant Organization:Yaako Ltd. Registrant Street1:1406, Yinyuan Building 37, West Guanhe Road Registrant City:Changzhou Registrant State/Province:JS Registrant Postal Code:213002 Registrant Country:CN Registrant Phone:+86.5196113322 Registrant FAX:+86.5196620244 Registrant Email:ppyy@staff.cn99.com Admin ID:ONLC-615124-1 Admin Name:Yong, Peng Admin Organization:Yaako Ltd. Admin Street1:1406, Yinyuan Building 37, West Guanhe Road Admin City:Changzhou Admin State/Province:JS Admin Postal Code:213002 Admin Country:CN Admin Phone:+86.5196113322 Admin FAX:+86.5196620244 Admin Email:ppyy@staff.cn99.com Tech ID:ONLC-615124-2 Tech Name:Yong, Peng Tech Organization:Yaako Ltd. Tech Street1:1406, Yinyuan Building 37, West Guanhe Road Tech City:Changzhou Tech State/Province:JS Tech Postal Code:213002 Tech Country:CN Tech Phone:+86.5196113322 Tech FAX:+86.5196620244 Tech Email:ppyy@staff.cn99.com Name Server:NS2.3322.NET Name Server:NS1.3322.NET 'cn99.com' is also registered to Bentium/Yaako; the vanity domain 'localhosts' is not currently online. DroppingsBackdoor.Ginwui will drop the following files on your super-secure Windows system with Advanced Security Technologies™.
Because you are running Windows and not a real operating system, you cannot be protected from this. Registry ShenanigansBackdoor.Ginwui puts an 'init' in your Registry for Winguis.dll. Its location is given as the data for Registry value 'AppInit_DLLs' found in the key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows. Because you are running Windows and not a real operating system, you cannot be protected from this. MutantsWhen initialised Winguis.dll creates the mutex GUI40ServiceStart. SpelunkingBackdoor.Ginwui does a lot of spelunking on your system. It runs the gamut of your running processes, running services, peeks into your TCP stack, rummages around on your disk and in your Registry enumerating everything it can get its hands on - and worst of all it actually mucks about with your Registry contents. Several of the APIs used are Microsoft internal (undocumented). The DropperThe dropper exploit itself - the code that makes Word do all these wonderful things - has been dubbed 'Trojan.Mdropper'. Zero DayThis exploit is called 'zero day' because Microsoft didn't even know about it before it hit. What can otherwise happen is that the black hats study Microsoft security advisories and then rush to exploit the new holes before users have a chance to patch. In this case Microsoft were again caught with their knickers down. What Can I Do?You can do several things to protect yourself.
|
| About | Buy | News | Products | Rants | Search | Security |
| Copyright © Radsoft. All rights reserved. |