Win32/Cimag [Threat Name] go to Threat

Win32/Cimag.CN [Threat Variant Name]

Category trojan
Size 71168 B
Aliases Trojan-Downloader.Win32.Mufanom.aafz (Kaspersky)
  Hiloti.gen.e.trojan (McAfee)
  Trojan:Win32/Hiloti.gen!D (Microsoft)
  Trojan.Zefarch (Symantec)
Short description

Win32/Cimag.CN is a trojan which tries to download other malware from the Internet.


When executed, the trojan copies itself in some of the the following locations:

  • %windir%\­%variable1%.dll
  • %localappdata%\­%variable1%.dll
  • %currentfolder%\­%variable1%-update.exe
  • %currentfolder%\­KB%variable2%-update.exe

The file is then executed.

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable3%"  = "rundll32.exe "%malwarefilepath%",Startup"

A string with variable content is used instead of %variable1-3% .

The trojan quits immediately if it is run within a debugger.

Information stealing

Win32/Cimag.CN is a trojan that steals sensitive information.

The trojan collects the following information:

  • operating system version
  • volume serial number
  • CPU information
  • the IP address of the router in the local network

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (2) URLs. The HTTP protocol is used.

The trojan tries to download several files from the Internet.

These are stored in the following locations:

  • %localappdata%\­chrome\­content\­_cfg.js
  • %localappdata%\­chrome\­content\­overlay.xul
  • %windir%\­%variable4%.dll
  • %localappdata%\­%variable4%.dll

The trojan may execute the following commands:

  • rundll32.exe "%malwarefilepath%", iep
  • rundll32.exe "%malwarefilepath%", l
  • rundll32.exe "%malwarefilepath%", r
  • rundll32.exe "%malwarefilepath%", Startup

The trojan keeps various information in the following Registry keys:

  • [HKEY_LOCAL_MACHINE\­Microsoft\­Windows\­CurrentVersion\­%variable5%]
  • [HKEY_CURRENT_USER\­Microsoft\­Windows\­CurrentVersion\­%variable5%]

A string with variable content is used instead of %variable4-5% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.