high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | February 2006 (4.02) |
| Protection available since | 10 December 2005 17:10:57 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Cimuz-O is a backdoor Trojan for the Windows platform.
Troj/Cimuz-O includes functionality to access the internet and communicate with a remote server via HTTP.
Troj/Cimuz-O acts as a proxy server, and may download and execute remote files.
When first run Troj/Cimuz-O copies itself to <System>\mdms.exe and creates the following files:
<System>\sporder.dll
<System>\mswsck2.dll
The file mswsck2.dll is detected as Troj/Cimuz-O when dropped correctly, though Troj/Cimuz-O may corrupted the file when it is dropped, turning it into a clean data file. The file sporder.dll appears to be a clean Windows dll.
The following registry entry is created to run mdms.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SysMemory manager
<System>\mdms.exe
Troj/Cimuz-O attempts to terminate processes, set registry values, and corrupt files related to anti-virus and security programs.
The following registry entry is set, allowing mdms.exe to bypass the Windows firewall:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
<System>\mdms.exe
<System>\mdms.exe:*:Enabled:mdm_sysag
Troj/Cimuz-O may attempt to stealth its presence from certain processes.
|
