CiGiCiGi ViP


· Overview ·
· Origins ·
· Distribution ·
· Operation ·
· Detection and Removal ·
· Research ·



Overview

Vendor Notes:

From the doc: 'a trojan like Gip to steal passwords.And it has many features like; stealing icq.ysm, miranda, rillian, aim, msn, ras and cached passwords.Now any of anti- virus programs can't find it.If they find it i will add some changes and it will be undedectable.CiGiCiGi ViP sends mails without a smtp server,so you don't need to find open relay smtp servers.I must say that this trojan doesn't send passwords to me like others. I think must of you,used trojans like sub7,Netbus and SchoolBus.I think the aim of using theese programs were stealing passwords.But there were harmful functions in them and the victim can be dameged because of them.There is no harmful functions in CiGiCiGi ViP,it doesn't damage the victim directly.It only sends his/her passwords.'

Alias:

Backdoor.Cigivip.10, Backdoor.Cigivip.15.a, Backdoor.Cigivip.17, TrojanDropper.Joiner.ae

Category:

Password Capture: A variant of the Key Logger that captures passwords as they are entered or transmitted. Some password capture trojans impersonate the login prompt, asking the user to provide their password.

Variants:

  • CiGiCiGi ViP 1.0
  • CiGiCiGi ViP 1.5
  • CiGiCiGi ViP 1.7
  • Similar Pests:

    Password Capture

    Origins

    Author:

    Fungus Kid

    Programming Language:

    Delphi

    Date of Origin:

    Variants from October, 2002 to January, 2003

    Place of Origin:

    Turkey

    Distribution

    Prevalence:

  • CiGiCiGi ViP 1.7: < 0.00005%
  • More Info

    Clot Factor:

  • CiGiCiGi ViP 1.7: 2
  • The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone.

    Countries Affected:

    In the past three months, we have received reports of CiGiCiGi ViP in United States.

    Operation

    Storage Required:

  • CiGiCiGi ViP 1.0: at least 1013 KB
  • CiGiCiGi ViP 1.5: at least 2673 KB
  • CiGiCiGi ViP 1.7: at least 1957 KB
  • Restart:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "WinSys32"
    c:\windows\system.ini, [boot] "shell"
    c:\windows\win.ini, [windows] "run"

    Autostarting Pests

    ScreenShot:


    CiGiCiGi ViP 1.0



    CiGiCiGi ViP 1.5 (a)



    CiGiCiGi ViP 1.5 (b)



    CiGiCiGi ViP 1.7


    Detection and Removal

    Automatic Removal:

    PestPatrol detects this.

    PestPatrol removes this.



    Manual Removal:

    Follow these steps to remove CiGiCiGi ViP from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.
    Stop Running Processes:

    Kill these running processes with Task Manager:

    Remove AutoRun Reference:

    Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\winsys32, delete it and reboot the machine immediately.



    Unregister DLLs:

    Unregister these DLLs with Regsvr32, then reboot:

    Clean Registry:

    Remove these registry items (if present) with RegEdit:

    Remove Files:

    Remove these files (if present) with Windows Explorer:

    Research

    File Analyses:

    More Info:

  • AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
  • Research By:

  • PestPatrol's Pest Research Center
  • Last Revised:

    April 15, 2005