Troj/Cimuz-E

Category: Viruses and Spyware
Type: Trojan
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Cimuz-E is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.

Troj/Cimuz-E includes functionality to access the internet and communicate with a remote server via HTTP. The Trojan opens a backdoor and connects to several remote sites to report the availability of the infected computer and the port on which attackers can connect.

When first run Troj/Cimuz-E copies itself to <System>\csmss.exe and creates the following files:

<Temp>\1e0f5.dmp (data file - may be safely deleted)
<System>\winacpi.dll (also detected as Troj/Cimuz-E)

The following registry entry is created to run csmss.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
spoolsvr32
<System>\csmss.exe

The file winacpi.dll is registered as a COM object, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\(5E2121EE-0300-11D4-8D3B-444553540000)
HKCR\CLSID\(5E2121EE-0300-11D4-8D3B-444553540000)
HKCR\Interface\(5E2121ED-0300-11D4-8D3B-444553540000)
HKCR\TypeLib\(5E2121E1-0300-11D4-8D3B-444553540000)
HKCR\acpi.acpi.1\
HKCR\acpi.ext\

The following registry entries are set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List\

The following registry entry is set:

HKCR\*\shellex\ContextMenuHandlers\sysacpildap
(default)
(5E2121EE-0300-11D4-8D3B-444553540000)

Registry entries are created under:

HKCU\Software\mzs\csmss\mzu\

The Trojan may also attempt to terminate the following:

amon.exe
C:\Program Files\Agnitum\Outpost Firewall\Engine.dll
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\perfiloc.dll
C:\Program Files\Kerio\Personal Firewall 4\kfe.dll
C:\Program Files\McAfee.com\Personal Firewall\Localized.DLL
C:\Program Files\McAfee.com\Personal Firewall\MpfUi.Dll
C:\Program Files\Norton Internet Security Professional\FRERules.dll
C:\Program Files\Tiny Firewall Pro\SnortImp.dll
C:\Program Files\Zone Labs\ZoneAlarm\vsruledb.dll
firewall.exe
kpf4gui.exe
kpf4ss.exe
MpfService.exe
NPROTECT.EXE
outpost.exe
ZAPRO.EXE
zonealarm.exe