Virus:Win32/Gnil.A is a virus that spreads by infecting files and by copying itself into removable drives.
Installation
Virus:Win32/Gnil.A drops itself as the file "spoclsv.exe" in the Windows system drivers folder.
It modifies the system registry so that it automatically runs every time Windows starts:
Adds value: "svcshare"
With data: "<system folder>\drivers\spoclsv.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Spreads Via...
File Infection
Virus:Win32/Gnil.A infects script file with the following extensions:
It infects these types of files by appending an Iframe containing a link to a page in the site "krvkr.com". Infected script files are currently detected as
Exploit:HTML/IframeRef.gen.
Virus:Win32/Gnil.A also infects binary files with the following extensions:
It infects these types of files by prepending itself.
It avoid infecting files found in folders with names that contain the following strings:
- Common Files
- ComPlus Applications
- Documents and Settings
- InstallShield Installation Information
- Internet Explorer
- Messenger
- Microsoft Frontpage
- Movie Maker
- MSN
- MSN Gamin Zone
- NetMeeting
- Outlook Express
- Recycled
- System Volume Information
- system32
- WINDOWS
- Windows Media Player
- Windows NT
- WindowsUpdate
- WINNT
Removable Drives
Virus:Win32/Gnil.A also propagates via removable drives (for example, USB FLash drives and portable hard disks) by copying itself as "setup.exe". It also drops the file "autorun.inf", which enables its copy to automatically run whenever the removable drives is accessed.
Network Shares
Virus:Win32/Gnil.A also propagates via network shares by dropping a copy of itself as "GameSetup.exe" in all network shares that have the folder "admin$". If the share is password-protected, it attempts to gain access by using certain strings as username and password, such as the following:
1234
0
7
110
111
123
520
1111
1313
2002
2003
2112
2600
5150
6969
7777
12345
54321
111111
121212
123123
123456
654321
901100
1234567
5201314
11111111
12345678
88888888
123456789
1234qwer
123abc
123asd
123qwe
aaa
abc
abc123
abcd
admin
admin
admin123
administrator
Administrator
alpha
asdf
baseball
ccc
computer
database
enable
fish
god
godblessyou
golf
Guest
harley
home
ihavenopass
letmein
login
Login
love
mustang
mypass
mypass123
mypc
mypc123
owner
pass
passwd
password
pat
patrick
pussy
pw123
pwd
qq520
qwer
qwerty
root
Root
server
sex
shadow
super
sybase
temp
temp123
test
test123
win
xxx
yxcv
zxcv
Payload
Modifies System Settings
Virus:Win32/Gnil.A performs the following changes to the system:
- Modifies the way that hidden files are displayed:
Adds value: "CheckedValue"
With data: "0"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
- Sets the system to bypass the proxy server when connecting to the Internet:
Adds value: "ProxyBypass"
With data: "0"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
Downloads Arbitrary Files
Virus:Win32/Gnil.A downloads files, which may be additional malware, from the website "whboy.net".
Terminates Security Processes
Virus:Win32/Gnil.A terminates certain processes depending on their window title or their process name.
It terminates processes that have window titles containing the following strings:
- Symantec AntiVirus
- System Repair Engineer
- System Safety Monitor
- VirusScan
- Winsock Expert
- Wrapped gift Killer
It terminates processes that have the following names:
- CCenter.exe
- FrogAgent.exe
- KRegEx.exe
- KVCenter.kxp
- KvMonXP.kxp
- KVSrvXP.exe
- KVXP.kxp
- Logo_1.exe
- Logo1_.exe
- Mcshield.exe
- msconfig.exe
- naPrdMgr.exe
- Rav.exe
- Ravmon.exe
- Ravmond.exe
- RavmonD.exe
- RavStub.exe
- RavTask.exe
- regedit.exe
- Rundl132.exe
- scan32.exe
- taskmgr.exe
- TBMon.exe
- TrojDie.kxp
- UIHost.exe
- UpdaterUI.exe
- VsTskMgr.exe
Deletes Registry Entries
Virus:Win32/Gnil.A deletes certain registry entries, some of which may be associated with security processes:
Under HKLM\SYSTEM\CurrentControlSet\Services:
AVP
AVP
ccEvtMgr
ccProxy
ccSetMgr
FireSvc
kavsvc
kavsvc
KPfwSvc
KVSrvXP
KVSrvXP
KVWSC
KVWSC
McAfeeFramework
McAfeeFramework
McShield
McShield
McTaskManager
McTaskManager
MskService
navapsvc
NPFMntor
RsCCenter
RsCCenter
RsRavMon
RsRavMon
SNDSrvc
SPBBCSvc
Symantec Core LC
wscsvc
Under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run:
kav
KAVPersonal50
KvMonXP
McAfeeUpdaterUI
Network Associates Error Reporting Service
RavTask
ShStatEXE
yassistse
YLive.exe
Deletion of these entries may prevent the process from running properly.
Analysis by Francis Allan Tan Seng
