Win32/PSW.Cimuz [Threat Name] go to Threat

Win32/PSW.Cimuz.AC [Threat Variant Name]

Category trojan
Size 79360 B
Detection created Aug 29, 2012
Detection database version 7427
Aliases PWS:Win32/Briba.A (Microsoft)
  Backdoor.Briba (Symantec)
  BackDoor.Agent.ARNB.trojan (AVG)
  TR/PSW.Briba.A.1 (Avira)
Short description

Win32/PSW.Cimuz.AC is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

When executed, the trojan creates one of the following files:

  • %commonappdata%\­XpsFilter.dll (51712 B, Win32/PSW.Cimuz.AC)
  • %internetcache%\­XpsFilter.dll (51712 B, Win32/PSW.Cimuz.AC)

The trojan executes the following commands:

  • cmd.exe /c "rundll32.exe "%librarypath%", start > nul"
  • cmd.exe /c "del %originalmalwarepath% > nul"

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "rundll32.exe" = "rundll32.exe "%malwarefilepath%",start"

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects information related to the following applications:

  • Internet Explorer

The following information is collected:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • type of Internet connection
  • network adapter information

The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (2) URLs. The HTTP protocol is used.

Other information

The trojan creates the following files:

  • %system%%variable%.dhq (0 B)
  • %appdata%\­wmplay32.chq (100 B)

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.