McAfee > Theat Center > Virus Detail Page

Overview

Aliases

• GinWui.A

Characteristics

BackDoor-CKB!cfaae1e6 is a specific variant of the trojan that is installed by exploiting a new Microsoft Word vulnerability that is currently under investigation.

Installation

Upon the opening of the malicious Microsoft Word document, an embedded Windows Portable Executable (PE) file may be saved onto the victim machine at the following location:

• %Temp%\20060424.bak (BackDoor-CKB!cfaae1e6)

(Where %Temp% is the Temporary directory, for example C:\Documents and Settings\User\Local Settings\Temp)

The trojan installs a DLL to the WINDOWS SYSTEM directory:

• %Sysdir%\winguis.dll

The file is loaded via the AppInitDlls method:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
  AppInit_DLLs = %Sysdir%\Winguis.dll

The DLL is injected into running processes.  It hides both the winguis.dll and AppInit_DLLs registry from the user.

Three 0 byte files are also created:

• %Sysdir%\drivers\DetPort.sys
• %Sysdir%\drivers\IsPubDRV.sys
• %Sysdir%\drivers\RVdPort.sys

Remote Access Functionality

Once running on the victim machine, the server component establishes HTTP communications to a remote server hosted on the following domain(s):

• loc[hidden].3322.org

This trojan enables an attacked with the capability to execute any external commands, download additional trojans, capture desktop screen shots, monitor and record keystrokes / passwords.

Symptoms

Remote HTTP connections to the following domain(s):

• loc[hidden].3322.org

Presence of one or more of the following Windows Registry key(s):

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gui30svr
• HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\ legacy_gui30svr\0000\driver = "{8ECC055D-047F-11D1-A537-0000F8753ED1}\0024"
  

Presence of one or more of the following file(s):

• %Sysdir%\winguis.dll (BackDoor-CKB!cfaae1e6)
• %Temp%\20060424.bak (BackDoor-CKB!cfaae1e6)
• %Sysdir%\drivers\DetPort.sys (0 byte file)
• %Sysdir%\drivers\IsPubDRV.sys (0 byte file)
• %Sysdir%\drivers\RVdPort.sys (0 byte file)

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

Method of Infection

This specific variant is installed via exploiting a new Microsoft Word vulnerability that is currently under investigation.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This trojan is known to have been used in a targeted attack involving a new Microsoft Word vulnerability that is currently under investigation. Backdoor trojans provide an attacker with a means to instruct an infected computer to take certain actions. Additionally, this trojan operates as a usermode rootkit to conceal its presence from users.

Aliases

• GinWui.A

Characteristics

Characteristics -

BackDoor-CKB!cfaae1e6 is a specific variant of the trojan that is installed by exploiting a new Microsoft Word vulnerability that is currently under investigation.

Installation

Upon the opening of the malicious Microsoft Word document, an embedded Windows Portable Executable (PE) file may be saved onto the victim machine at the following location:

• %Temp%\20060424.bak (BackDoor-CKB!cfaae1e6)

(Where %Temp% is the Temporary directory, for example C:\Documents and Settings\User\Local Settings\Temp)

The trojan installs a DLL to the WINDOWS SYSTEM directory:

• %Sysdir%\winguis.dll

The file is loaded via the AppInitDlls method:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
  AppInit_DLLs = %Sysdir%\Winguis.dll

The DLL is injected into running processes.  It hides both the winguis.dll and AppInit_DLLs registry from the user.

Three 0 byte files are also created:

• %Sysdir%\drivers\DetPort.sys
• %Sysdir%\drivers\IsPubDRV.sys
• %Sysdir%\drivers\RVdPort.sys

Remote Access Functionality

Once running on the victim machine, the server component establishes HTTP communications to a remote server hosted on the following domain(s):

• loc[hidden].3322.org

This trojan enables an attacked with the capability to execute any external commands, download additional trojans, capture desktop screen shots, monitor and record keystrokes / passwords.

Symptoms

Symptoms -

Remote HTTP connections to the following domain(s):

• loc[hidden].3322.org

Presence of one or more of the following Windows Registry key(s):

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gui30svr
• HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\ legacy_gui30svr\0000\driver = "{8ECC055D-047F-11D1-A537-0000F8753ED1}\0024"
  

Presence of one or more of the following file(s):

• %Sysdir%\winguis.dll (BackDoor-CKB!cfaae1e6)
• %Temp%\20060424.bak (BackDoor-CKB!cfaae1e6)
• %Sysdir%\drivers\DetPort.sys (0 byte file)
• %Sysdir%\drivers\IsPubDRV.sys (0 byte file)
• %Sysdir%\drivers\RVdPort.sys (0 byte file)

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

Method of Infection

Method of Infection -

This specific variant is installed via exploiting a new Microsoft Word vulnerability that is currently under investigation.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A