Home / malware Backdoor.Ginwui.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Backdoor.Ginwui.A is also known as Backdoor.Win32.Ginwui.a, Tr/Spy.Delf.PV.26, BDS/Gusi.A, Bck/Gusi.A, BKDR_GINWUI.A.
Explanation :
When first executed, the virus copies itself in the %TEMP% folder under the name 20060424.bak and deletes itself from the original folder (the folder where it was originally executed).
It drops a file %SystemRoot%\SYSTEM32\WINGUIS.DLL, of 102400 bytes in lenght. This file represents the main backdoor component.
It creates the Mutex Global\GUI40ServiceStart to prevent from running multiple copies of itself.
It registers itself with the SCM Manager as a service under the name Gui30Svr. It's rootkit functionalities (hooking EnumServicesStatusA and EnumServicesStatusW) prevent the service from being displayed when using ControlPanel->AdministrativeTools->Services.
WINGUIS.DLL further creates the registry key
AppInit_DLLs = %System%Winguis.dllunder HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows, forcing WINGUIS.DLL to be loaded in the address space of each newly created process.
It hooks APIs related to process, services, files and registry keys enumeration in order to hide itself.
Once started, it waits from commands from it's author. He is able to gather system information, start and kill processes, take screenshots (wich will be saved in the file %System%Capture.bmp), start a remote command shell etc.Last update 21 November 2011