« antitest.exe is out
Gimmiv DLL »

New worm on the loose

There’s a new malware on the loose, using the MS08-067 that was released out-of-band yesterday. Surprisingly, the malware isn’t packed. The common detection for this is Trojan:W32/Gimmiv.A, and the initial package is just a dropper.

I quickly took the dropper apart and the logic is pretty much what you see on them all. Here’s a condensed IDA graph:

Gimmiv Dropper Graph

I’ll try to peek at the DLL also soon(ish) I hope :)

Penetration Testing
Fitsec Ltd - The Evil Eye Penetration Testing Service
http://www.fitsec.com/en

This entry was posted on Friday, October 24th, 2008 at 7:25 am and is filed under General InfoSec, Malware FreakShow. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.

One Response to “New worm on the loose”

  1. Secure San Diego » Patch Or Die Says:
    November 2nd, 2008 at 10:06 pm

    […] Another Good Entry - Team Furry […]

If you want to comment on this article please send e-mail
to authors(_at_)teamfurry.com or go to the forums.

InspectorWordpress has prevented 2 attacks.