Type
: Trojan
Category
: Win32
Also known as:
TROJ_CRYPT.A (Trend), W32/Crypter.B@dl (F-Secure), Troj/Crypter-A (Sophos), Troj/Crypter-B (Sophos), Troj/Crypter-C (Sophos), Troj/Crypter-D (Sophos), Troj/Cryptldr-A (Sophos), PWS-Datei (McAfee), Trojan.Gema (Symantec), Win32/Gema.11776.Trojan, Win32/Gema.14336.Trojan, Win32.Gema.A, TROJ_GEMA.A (Trend), Win32/Gema.A.Trojan, Win32.Gema.B, Trojan.Gema.B (Symantec), Win32.Gema.C, Win32.Gema.D, Win32.Gema.E, Win32.Gema.F, Win32/Gema.Trojan, Downloader-GP (McAfee), Downloader-HS (McAfee), Downloader-PV (McAfee), SysCenter (McAfee), TrojanDownloader.Win32.Crypter (Kaspersky), TrojanDownloader.Win32.Crypter (PestPatrol), TrojanDownloader.Win32.Small.uy (Kaspersky)
Immediate Protection Info
Description
The Win32.Gema variants are a family of trojans that download and execute arbitrary files. At the time of publishing, CA have received reports of six different variants from the wild. These variants have been distributed as Win32 executables, packed with either PECompact or UPX, and are between 12,288 and 14,336 bytes in size.
Back to top
Method of Infection
Each time Gema variants are executed, they change their filename and associated registry entries.
Variants of this family copy themselves to the %System% directory using one of the following names:
advmon32.exe
audcntr.exe
audiocntl.exe
cddrv32.exe
cmt101.exe
cmx32.exe
de32gen.exe
dlldmt.exe
dmtdll.exe
dvraudio.exe
dvrvideo.exe
flpycntl.exe
idecntl.exe
keybdcntl.exe
mainviewex.exe
mdmdll.exe
mdmdll32.exe
modeminf.exe
mousecntl.exe
mousecntl32.exe
mscolour.exe
msmon.exe
mswavedll.exe
scopedll.exe
sysdpt.exe
sysflg32.exe
sysint16.exe
unldr16.exe
unldr32.exe
unldrexe.exe
videocntl.exe
Gema modifies the registry to ensure that regardless of its chosen filename, it is executed each time Windows is started:
HKLM\Software\Microsoft\Windows\Currentversion\Run\<generated name> = "%System%\<generated filename>.exe"
HKCU\Software\Microsoft\Windows\Currentversion\Run\<generated name> = "%System%\<generated filename>.exe"
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run\<generated name> = "%System%\<generated filename>.exe"
For example:
HKLM\Software\Microsoft\Windows\Currentversion\Run\mscolour = "%System%\mscolour.exe"
HKCU\Software\Microsoft\Windows\Currentversion\Run\mscolour = "%System%\mscolour.exe"
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run\mscolour = "%System%\mscolour.exe"
Back to top
Payload
Downloads and Executes Arbitrary Files
The main purpose of the Gema variants is to periodically download files. Gema retrieves the location of of a file to be downloaded from particular IP addresses (which change with each variant). Additional evidence suggests that the files downloaded are porn dialers, specially designed for various geographic locations to match that of the affected machine.
Note: CA has received several reports of different Gema variants from the wild. IP addresses associated with Gema variants are as follows:
203.166.19.23
213.252.5.46
216.130.216.225
216.130.216.229
216.130.216.242
203.130.216.229
203.130.216.225
203.130.216.242
Analysis by Matthew McCormack
Back to top