Troj/Cosiam-H

Aliases	Trojan-Proxy.Win32.Small.bo
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	June 2006 (4.06)
Protection available since	1 May 2006 05:22:23 (GMT)
Last updated	2 May 2006 09:47:38 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/Cosiam-H is a proxy server Trojan.

The proxy server runs continuously in the background listening on port 23358 and allows data to be routed through the computer. The proxy server may be used to forward spam.

Troj/Cosiam-H includes functionality to silently download, install and run new software, including updates of its software.

When first run Troj/Cosiam-H copies itself to <System>\0mcamcap.exe and creates the files:

<System>\TheMatrixHasYou.exe
<System>\ImaS3r

TheMatrixHasYou.exe is a simple (clean) utility program which Troj/Cosiam-H uses to delete the original copy of itself.

The following registry entries are created to run 0mcamcap.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
0mcamcap
<System>\0mcamcap.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
0mcamcap
<System>\0mcamcap.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
0mcamcap
<System>\0mcamcap.exe

The following registry entry is created:

HKLM\SOFTWARE\Microsoft
ATI_VER
1146305807

Troj/Cosiam-H will attempt to terminate any active processes containing the strings:

bargains.exe
ntddetect.exe
jucheck.exe
spamsub.exe
mppey.exe
tfswctrl.exe
winupdt.exe
mcvsshld.exe
shwiconem.exe
atipatnm
atipatxx
atipalxx
ati2evxx
atiupdpl
atiptilt
updatelavasoft
outpostupdate
updatesecurity
proqlaim
mpsegment
hedgie
leeman
random
polygraf
multitran
logopod
shellbn
tetriz3
netfilt4
csrsvr
mshtb.exe
eventwvr
drwtsn64
cnkdsk
taskswap
listmru
mstarodz
recyclebmsadblk
winamp5
frescra
gadgscan
msadblok
msadblock
truetype
antinet8

Troj/Cosiam-H will also attempt to delete any values under the following registry entries, containing any of the strings listed above:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Cosiam-H

Summary

Action

More Information