Description
Win32.Gema.D is a trojan that downloads and executes arbitrary files. It has been distributed as a 14,336-byte, PECompact compressed, Win32 executable.
Back to top
Method of Infection
Each time Gema.D is executed, it changes its filename and associated registry entries.
It copies itself to the %System% directory using one of the following names:
advmon32.exe
audiocntl.exe
cddrv32.exe
cmt101.exe
cmx32.exe
de32gen.exe
dlldmt.exe
dmtdll.exe
dvraudio.exe
dvrvideo.exe
flpycntl.exe
idecntl.exe
keybdcntl.exe
mainviewex.exe
mdmdll32.exe
modeminf.exe
mousecntl.exe
mousecntl32.exe
msmon.exe
mswavedll.exe
scopedll.exe
sysdpt.exe
sysflg32.exe
sysint16.exe
unldr16.exe
unldrexe.exe
videocntl.exe
Gema.D modifies the registry to ensure that regardless of its chosen filename, it is executed each time Windows is started:
HKLM\Software\Microsoft\Windows\Currentversion\Run\<generated name> = "%System%\<generated filename>.exe"
HKCU\Software\Microsoft\Windows\Currentversion\Run\<generated name> = "%System%\<generated filename>.exe"
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run\ <generated name> = "%System%\<generated filename>.exe"
Back to top
Payload
Downloads and Executes Arbitrary Files
The trojan attempts to periodically contact the IP address: 216.130.216.229, to receive information regarding the locations of files to be downloaded. At the time of publishing this address was inactive. Additional evidence suggests that the files downloaded were porn dialers, specially designed for various locations to match that of the affected machine.
Note: CA has received several reports of different Gema variants from the wild. IP addresses associated with other Gema variants are as follows:
203.166.19.23
216.130.216.229
216.130.216.225
216.130.216.242
213.252.5.46
Analysis by Matthew McCormack
Back to top