Troj/Cimuz-C

Please follow the instructions for removing Trojans.

Troj/Cimuz-C is a Trojan for the Windows platform.

The Trojan starts a proxy server allowing remote users to route HTTP traffic through the infected computer. The Trojan registers itself on several sites to report the availability of the listening proxy server.

Troj/Cimuz-C includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Cimuz-C copies itself to <System>\mdms.exe and creates the file <System>\winacpi.dll.

The following registry entry is created to run mdms.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SysMemory manager
<System>\mdms.exe

The file winacpi.dll is registered as a COM object, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\(5E2121EE-0300-11D4-8D3B-444553540000)
HKCR\CLSID\(5E2121EE-0300-11D4-8D3B-444553540000)
HKCR\Interface\(5E2121ED-0300-11D4-8D3B-444553540000)
HKCR\TypeLib\(5E2121E1-0300-11D4-8D3B-444553540000)
HKCR\acpi.acpi.1\
HKCR\acpi.ext\

The following registry entries are set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\

The following registry entry is set:

HKCR\*\shellex\ContextMenuHandlers\sysacpildap
(default)
(5E2121EE-0300-11D4-8D3B-444553540000)

Registry entries are created under:

HKCU\Software\mzs\mdms\mzu\