Trojan.Gema

Printer Friendly Page

Discovered: December 16, 2003
Updated: December 23, 2003 4:38:38 PM
Systems Affected: Windows

Trojan.Gema is a trojan program that may attempt to download and execute various files from a remote website.

Discovered: December 16, 2003
Updated: December 23, 2003 4:38:38 PM
Systems Affected: Windows

Trojan.Gema is a downloader trojan that attempts to download and execute files from a specified website. When the trojan is executed, it creates a copy of itself in the Windows System directory as one of the following:
Aucompat.exe
Avimgt.exe
Avimgt32.exe
Cabchk.exe
Cabchk32.exe
Cdcompat.exe
Cpusave.exe
Cpusave32.exe
Dskcompat.exe
Dvdcompat.exe
Dx8compat.exe
Dxsty.exe
Hvid.exe
Imagemgt32.exe
Info32x.exe
Intmgr.exe
Monitormgt.exe
Nvid32.exe
Nvidex32.exe
P3p4chk.exe
Pixel32.exe
Pixelpwr32.exe
Pixelsvr.exe
Pwr32ctr.exe
Pwr32ctrl.exe
Pwr32mgt.exe
Pwroff.exe
Sndcompat.exe
Sndsaver.exe
Vidcompat.exe
Wminf.exe
Wminfo.exe

On Windows 95/98/ME systems, the trojan adds the following line to the Win.ini file so that it executes when the system starts:
Run = %System%\<trojan filename>.exe

It then creates the following registry entries pointing to the trojan's dropped executable file so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"<trojan filename>"="%System%\<trojan filename>.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\"<trojan filename>"="%System%\<trojan filename>.exe"

Additionally, the trojan may create the following copy of itself:
Program files\Internet Explorer\Iexplorer.exe

The trojan also creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\"Run"="%System%\<trojan filename>.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\<trojan filename>