"It also gathers a lot of information about the [infected] system, such as e-mail passwords and the ActiveX controls on the PC, then encrypts the information. But it doesn't send it anywhere," Stewart added. "There are just a lot of thing here that don't fit your typical malware pattern."
One thing Stewart was sure of, though, is that Gimmiv is more than a simple password stealer, which is how some researchers originally described it. Instead, the Trojan uses a two-stage attack process in which the first stage is relatively unsophisticated, with the second significantly more complex.
"The difference between the first and second stages is that the first uses strong encryption but a weak key, while the second uses a much stronger key, and different keys for each function," said Stewart. The pattern led him to speculate that the first stage was a decoy for the second, which included backdoor and propagation components in its payload.
Another oddity is the hard-coded termination date for Gimmiv's second-stage bits. "The first stage deletes itself immediately, but the second stage remains until the end of November," Stewart said. At that point, those parts of the threat also self-destruct.
"This seems like an odd way to deploy a worm," said Stewart, "especially one that exploits a zero-day vulnerability."
Prior to the October 23 patch, the last time that Microsoft released an emergency security update was April 2007. In the 12 days since the most recent patch, hackers posted exploit code on the Internet and a second piece of malware, a worm dubbed "Wercol," has been put into circulation.