TR/Proxy.Ciumz.BG - Trojan

See also

Summary

Full description

Statistics

Virus:	TR/Proxy.Ciumz.BG
Date discovered:	22/12/2005
Type:	Trojan
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Low to medium
Static file:	Yes
File size:	39.341 Bytes
MD5 checksum:	ae4ad95ab05a565abf20bac0b21090b8
VDF version:	6.32.00.53 - Fri, 30 Sep 2005 08:20 (GMT+1)

General Method of propagation:
   • No own spreading routine

Aliases:
   • Symantec: Trojan.Repsamo
   • Kaspersky: Trojan-Proxy.Win32.Cimuz.bg
   • TrendMicro: TROJ_DROPPER.LF
   • Bitdefender: Trojan.Proxy.Cimuz.BG

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Disable security applications
   • Drops a malicious file
   • Lowers security settings
   • Registry modification

Files It copies itself to the following location:
   • %SYSDIR%\mdms.exe

It deletes the following files:
   • c:\ccccccccccccccccoemrciermicomeriocmeiormcioermo
   • c:\cc5y456 455 4 54cccccccoemrciermicomeriocmeiormcioermo

It may corrupt the following files:
   • %PROGRAM FILES%\McAfee.com\Personal Firewall\MpfUi.Dll
   • %PROGRAM FILES%\Kaspersky Lab\Kaspersky Anti-Hacker\perfiloc.dll
   • %PROGRAM FILES%\Tiny Firewall Pro\SnortImp.dll
   • %PROGRAM FILES%\McAfee.com\Personal Firewall\Localized.DLL
   • %PROGRAM FILES%\Agnitum\Outpost Firewall\Engine.dll
   • %PROGRAM FILES%\Norton Internet Security Professional\FRERules.dll
   • %PROGRAM FILES%\Kerio\Personal Firewall 4\kfe.dll
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\vsruledb.dll

The following file is created:

– %SYSDIR%\winacpi.dll Used to hide the process from Task Manager. Detected as: TR/Drop.Agen.bd.A.1

– The locations are the following:
   • http://ozonung.biz/**********?%random words%
   • http://votreenton.biz/**********?%random words%
   • http://troonety.biz/**********?%random words%
   • http://breenten.biz/**********?%random words%
   • http://zurrusco.com/**********?%random words%
   • http://freelife4ever.com/**********?%random words%
   • http://213.21.215.186/**********?%random words%
It is saved on the local hard drive under: %temporary internet files%\takeme2.htm This file may contain further download locations and might serve as source for new threats.

Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "SysMemory manager"="%sysdir%\mdms.exe"

It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%SYSDIR%\mdms.exe"="%SYSDIR%\mdms.exe:*:Enabled:mdm_sysag"

The following registry keys are added:

– [HKCR\Interface\{5E2121ED-0300-11D4-8D3B-444553540000}\TypeLib]
   • @="{5E2121E1-0300-11D4-8D3B-444553540000}"
   • "Version"="1.0"

– [HKCR\*\shellex\ContextMenuHandlers\sysacpildap]
   • @="{5E2121EE-0300-11D4-8D3B-444553540000}

– [HKCU\Software\mzs\mdms\mzu]
   • "cid"=%hex number%
   • "newhost"=dword:00000001
   • "pt"=dword:000006c4

– [HKCR\acpi.acpi.1]
   • @="acpi Class"

– [HKCR\acpi.acpi.1\CLSID]
   • @="{5E2121EE-0300-11D4-8D3B-444553540000}"

– [HKCR\acpi.ext]
   • @="acpi Class"

– [HKCR\acpi.ext\CLSID]
   • @="{5E2121EE-0300-11D4-8D3B-444553540000}"

– [HKCR\acpi.ext\CurVer]
   • @="acpi.acpi.1"

– [HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}]
   • @="acpi"

– [HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32]
   • @="%SYSDIR%\winacpi.dll"
   • "ThreadingModel"="Apartment"

– [HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\ProgID]
   • @="acpi.1"

– [HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\Programmable]
– [HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\TypeLib]
   • @="{5E2121E1-0300-11D4-8D3B-444553540000}"

– [HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\
   VersionIndependentProgID]
   • @="acpi"
   •

– [HKCR\TypeLib\{5E2121E1-0300-11D4-8D3B-444553540000}\1.0]
   • @="SimpleExt 1.0 Type Library"

– [HKCR\TypeLib\{5E2121E1-0300-11D4-8D3B-444553540000}\1.0\0]
– [HKCR\TypeLib\{5E2121E1-0300-11D4-8D3B-444553540000}\1.0\0\win32]
   • @="%SYSDIR%\winacpi.dll"

– [HKCR\TypeLib\{5E2121E1-0300-11D4-8D3B-444553540000}\1.0\FLAGS]
   • @="0"

– [HKCR\TypeLib\{5E2121E1-0300-11D4-8D3B-444553540000}\1.0\HELPDIR]
   • @="%SYSDIR%\"

– [HKCR\Interface\{5E2121ED-0300-11D4-8D3B-444553540000}]
   • @="ISimpleShlExt"

– [HKCR\Interface\{5E2121ED-0300-11D4-8D3B-444553540000}\
   ProxyStubClsid]
   • @="{00020424-0000-0000-C000-000000000046}"

– [HKCR\Interface\{5E2121ED-0300-11D4-8D3B-444553540000}\
   ProxyStubClsid32]
   • @="{00020424-0000-0000-C000-000000000046}"

Process termination List of processes that are terminated:
   • amon.exe; ehmas.exe; firewall.exe; gcasDtServ.exe; gcasServ.exe;
      kpf4gui.exe; kpf4ss.exe; MpfService.exe; NPROTECT.EXE; outpost.exe;
      ZAPRO.EXE; zonealarm.exe

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• FSG

See a brief description here.

Description inserted by Iulia Diaconescu on Wed, 21 Dec 2005 13:56 (GMT+1)
Description updated by Andrei Gherman on Mon, 30 Jan 2006 11:22 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back