« A glimpse in the past: Taking a look at a Gimmiv component timeline
ESTDomains got canned by ICANN »

Gimmiv Trojan: Glimpse at winbase.dll

Just took a close look at the winbase.dll variants I have. 5 of them with the following compilation timestamps:

06:51:36 29.09.2008 fbb1105d9d6061e67ce5d158a824383c
06:53:29 29.09.2008 e020c5747784ede80cd836d9fce0d77a
02:06:40 13.10.2008 f12f7a4448df588c976f1a329aa1f9c7
02:07:05 13.10.2008 694399f1668298cf65fc02d55ad4ea9d
02:30:38 13.10.2008 40cb861ad59c804f340fd8a2a28e226c

Codewise these are all the same. Interestingly though, it has a timebased killswitch. The samples compiled on 29.9.2008 were set to remove themselves at  05.10.2008 23:59 local time. They apparently were aware that their C&C’s would be blown down by that and that it’d be useless to spread after that. Of course this will fail if the computer’s clock is set wrong.

The newer samples compiled on 13.10.2008 have the killdate set at  30.11.2008 23:59 local time which will mean that those variants will try to spread for over a month to come.

No changes in the code between any of these variants. If you have more samples of these please send them over for analysis to samples_at_teamfurry_dot_com.

winbase.dll seems to be there to launch the others DLLs, so I reckon they don’t have many reasons to change the code itself.

Penetration Testing
Fitsec Ltd - The Evil Eye Penetration Testing Service
http://www.fitsec.com/en

This entry was posted on Saturday, October 25th, 2008 at 11:53 pm and is filed under General InfoSec, Malware FreakShow. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.

Comments are closed.

If you want to comment on this article please send e-mail
to authors(_at_)teamfurry.com or go to the forums.

InspectorWordpress has prevented 2 attacks.