Troj/Cimuz-O is a backdoor Trojan for the Windows platform.
Troj/Cimuz-O includes functionality to access the internet and communicate with a remote server via HTTP.
Troj/Cimuz-O acts as a proxy server, and may download and execute remote files.
When first run Troj/Cimuz-O copies itself to <System>\mdms.exe and creates the following files:
<System>\sporder.dll
<System>\mswsck2.dll
The file mswsck2.dll is detected as Troj/Cimuz-O when dropped correctly, though Troj/Cimuz-O may corrupted the file when it is dropped, turning it into a clean data file. The file sporder.dll appears to be a clean Windows dll.
The following registry entry is created to run mdms.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SysMemory manager
<System>\mdms.exe
Troj/Cimuz-O attempts to terminate processes, set registry values, and corrupt files related to anti-virus and security programs.
The following registry entry is set, allowing mdms.exe to bypass the Windows firewall:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
<System>\mdms.exe
<System>\mdms.exe:*:Enabled:mdm_sysag
Troj/Cimuz-O may attempt to stealth its presence from certain processes.