Weekly Report on Viruses and Intruders – Gusi.A and Gusi.B Trojans

1Table.A is a Trojan that takes advantage of a critical vulnerability found in the latest Microsoft Word versions, for which there is no security patch yet. The Trojan reaches computers as a legitimate Word document, or any other Microsoft Office document with an embedded Word document. When the document is opened, the Trojan triggers a buffer overflow in the application, allowing an attacker to run arbitrary code with the same privileges as the logged in user; if the user has administrators’ rights, the attacker could gain total control over the target computer. Also, the Trojan exploits the vulnerability to drop a Gusi backdoor Trojan variant (Gusi.A or Gusi.B) on the affected system.
1Table.A does not spread automatically, it needs some action from the user to reach a vulnerable system and take advantage of the vulnerability. These actions include opening email attachments, downloading files from the Internet or P2P networks, etc.

Gusi.A is a backdoor Trojan that cannot reach computer by its own means, but needs to be dropped by another malware, such as 1Table.A for example. Once on the system, it injects itself in Internet Explorer, and hooks certain API functions in order to go unnoticed by users. Once installed, it sends out information about the compromised computer, awaiting commands including opening the Windows console (cmd.exe) from a remote attacker. The worm creates file Winguis.dll in the Windows System subfolder, files Etport.sys, Ispubdrv.sys and Rvdport.sys in the Drivers subfolder and file 20060424.bak, which has the following icon:

Also, it copies itself to the AppInit_DLLs entry in the Windows Registry to ensure it is run every time the operating system starts up.

Gusi.B is a variant of Gusi.A which is dropped onto the system by another Trojan, like 1Table.A, by taking advantage of a critical, undocumented Microsoft Word vulnerability. A clear symptom is an Internet Explorer run error if it cannot find an open Internet connection. Once in the affected computer, it opens a series of consecutive ports, starting from 1032, in order to send out information about the infected computer and receive commands to carry out actions on the system. Then, it injects code in Internet Explorer and connects to the IP address 222.9.X.X. It uses rootkit techniques to hide its files. This backdoor Trojan creates files Zsydll.Dll and Zsyhide.Dll in the target computer’s Windows system subfolder. It also creates a file called 20060426.bak, with the following icon:

To ensure it is run every time Windows starts up, Gusi.B creates a Registry entry in key AppInit_DLLs and several entries in HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\Windows NT\ CurrentVersion\ Winlogon\ Notify\ zsydll

Don't miss