Ginwui back door program analysis-vulnerability warning-the black bar safety net

This year 5 month 1 9 day CVE release number for the CVE-2 0 0 6-2 4 9 2 security bulletins, Microsoft Word processing DOC file there is a buffer overflow vulnerability, and Microsoft Word to run the special structure of the doc file, resulting in arbitrary code execution. A remote attacker could exploit this vulnerability by persuading a user to open the malicious DOC file on a user’s machine to execute arbitrary commands. Microsoft to 6 months 1 to No. 3 the release of the vulnerability the patch. 5 on 2 4, find the attacker use this vulnerability to construct a special Word document to spread, there is a vulnerability in the Word open the document will cause the file in the backdoor Ginwui. exe is running, the following we analyze the back door of the operating mechanism.

A Ginwui. exe of behavior analysis

Ginwui. exe copies itself to a temporary directory 2 0 0 6 0 4 2 6. bak, 然后执行20060426.bak并删除原程序文件Ginwui.exe the. 2 0 0 6 0 4 2 6. bak file release zsydll. dll and zsyhide. dll to the%windir%system32 directory and will zsydll. the dll is injected into the Winlogon. exe process. Winlogon. exe to start the%ProgramFiles%Internet ExplorerIEXPLORE.EXE,并 连接 域名 scfzf.xicp.net the. zsyhide.dll 在 注册表 AppInit_DLLs 键 下 添加 %windir%system32zsyhide.dll that zsydll. dll in the registry to create zsydll item for the system to restart after re-loading operation.

zsyhide. dll file the registry more export:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftwindows NTCurrentVersionWindows]

AppInit_DLLs=C:WINNTsystem32zsyhide.dll

zsydll. dll file the registry more export:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftwindowsntcurrentversionwinlogonnotifyzsydll]

DllName=C:WINNTsystem32zsydll.dll

Shutdown=DoShutdown

Startup=DoStartup

Asynchronous=dword:0 0 0 0 0 0 0 1

Impersonate=dword:0 0 0 0 0 0 0 0

Second, the Ginwui. exe removal method

系统 重启 后 执行 cmd.exe put%windir%system32 directory zsydll. dll and zsyhide. dll was renamed, and deleted in the registry zsydll of the item and the AppInit_DLLs entry under C:WINNTsystem32zsyhide. dll key value. Restart the system to%windir%system32 directory zsyhide. dll and zsydll. dll deleted, renamed files, temporary directory 2 0 0 6 0 4 2 6. bak can be deleted directly.

Third, crimes against

A remote attacker complete control of the attacked host, with system privileges, the system can perform any operation. For example, to steal user account and password, personal information, credit card account, etc.

Fourth, the mode of transmission

Ginwui. exe is the current use of the WORD vulnerability to spread of Trojan programs, from the above analysis point of view can not only use the WORD vulnerability to spread, also can use the previous IE vulnerabilities, FLASH vulnerabilities, and other ways to spread.

Fifth, preventive measures

6 on 1 3, Microsoft released the level as a serious security Bulletin MS06-0 2 7 Microsoft Word vulnerability could allow remote code execution this vulnerability using a malformed object pointer Word in the presence of a remote code execution vulnerability. An attacker can construct a specially crafted Word file to exploit this vulnerability, this file could allow remote code execution. Microsoft for this vulnerability has been released a security patch, please timely updates.

Temporary solution is safe mode run the software-in Word shortcut to add the command line“WINWORD.EXE /safe”in. Please update the antivirus software virus database. Use firewall rules to prohibit the system from the inside of the localhosts. 3 3 2 2. org and scfzf. xicp. net to connect.

Microsoft and the antivirus vendors have put Ginwui. exe is defined as Ginwui.a B or Backdoor. Win32. Ginwui. b Backdoor virus.