Home Malware Programs Worms GiftCom

GiftCom

Posted: March 28, 2006

GiftCom is an Internet worm that spreads to other PCs through unpatched security vulnerabilities and via instant messages using popular chat applications including ICQ, AIM, MSN Messenger and Yahoo! Messenger. The spyware sends bogus messages containing links to malicious files to all the contacts in the victim's buddy list. Once the user follows such a link, GiftCom is silently downloaded and installed to the computer. The worm comes with a rootkit that hides all harmful processes and files from most antivirus tools. The GiftCom's payload is comprised of several malicious functions. First of all, the worm disables some Windows essential components and terminates running antiviruses and security-related applications. Then it runs a backdoor component, which provides the attacker with unauthorized remote access to the compromised PC. The intruder can log user keystrokes, set up a hidden FTP server, intercept network and Internet traffic, contact specified web resources and steal user sensitive information. GiftCom can also change the web browser's default home page and download a variant of the Sdbot worm. The threat automatically runs as a service on every Windows startup.

File System Modifications

  • The following files were created in the system:
    # File Name
    1 winrpc.exe

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{RegistryKeys}HKEY_LOCAL_MACHINESOFTWAREMicrosoftOleEnableDCOM=nHKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateDoNotAllowXPSP2=1HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaRestrictAnonymous=1HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMessengerStart=4HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRemoteRegistryStart=4HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTlntSvrStart=4HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswinrpc
Loading...