Ginwui.A Backdoor Trojan Horse is Distributed Inside MS Word Document
Description: Ginwui.A is a new backdoor Trojan Horse that exhibits rootkit functionality and that may arrive at a user's workstation inside an MS Word document. This vulnerability is claimed to be used as part of an attack that involves the exploitation of an unpatched vulnerability in the MS Word application. Fingerprint information is as follows:
· [Windows Temp directory]\csrse.exe
· [Windows system directory]\winguis.dll
The shellcode contained in the MS Word document decrypts and drops the backdoor's file as csrse.exe in the Windows temporary folder. After execution, this file then drops a second file, winguis.dll to the Windows System folder. The dropper then deletes itself from a system. The .dll file acts as a main backdoor component. This file also exhibits rootkit functionality since it hides certain processes from the computer user.
Look for the Windows registry key(s) created by Ginwui.A.
Recovery: Remove all files and the Windows registry key modifications associated with this malicious code threat. Restore corrupted or damaged files with clean back-up copies. Restore script.ini and other files potentially overwritten by the Trojan. Validate the functionality of all anti-virus and security-related software.