Troj/Cimuz-D is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
Troj/Cimuz-D includes functionality to access the internet and communicate with a remote server via HTTP.
When first run Troj/Cimuz-D copies itself to <System>\mdms.exe and creates the file <System>\winacpi.dll.
The following registry entry is created to run mdms.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SysMemory manager
<System>\mdms.exe
The file winacpi.dll is registered as a COM object, creating registry entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\(5E2121EE-0300-11D4-8D3B-444553540000)
HKCR\CLSID\(5E2121EE-0300-11D4-8D3B-444553540000)
HKCR\Interface\(5E2121ED-0300-11D4-8D3B-444553540000)
HKCR\TypeLib\(5E2121E1-0300-11D4-8D3B-444553540000)
HKCR\acpi.acpi.1\
HKCR\acpi.ext\
The following registry entries are set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ FirewallPolicy\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ StandardProfile\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ StandardProfile\AuthorizedApplications\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ StandardProfile\AuthorizedApplications\List\
The following registry entry is set:
HKCR\*\shellex\ContextMenuHandlers\sysacpildap
(default)
(5E2121EE-0300-11D4-8D3B-444553540000)
Registry entries are created under:
HKCU\Software\mzs\mdms\mzu\