Thread: tspy - Trojan keylogger
View Single Post
Old 04-09-2006, 21:58   #12
ADd
Inactive
 
ADd's Avatar
 
Join Date: Apr 2006
Location: Land of the free
Posts: 308
ADd has a reputation beyond reputeADd has a reputation beyond reputeADd has a reputation beyond reputeADd has a reputation beyond reputeADd has a reputation beyond reputeADd has a reputation beyond reputeADd has a reputation beyond reputeADd has a reputation beyond reputeADd has a reputation beyond reputeADd has a reputation beyond reputeADd has a reputation beyond reputeADd has a reputation beyond reputeADd has a reputation beyond repute
Re: tspy - Trojan keylogger
Certainly a possibility TheBlueRaja, with regard to the following in the registry:
Quote:
2006-08-28 13:16:24.203 FINEST ProcessSystemCallback Found threat infection: TSPY_Cimuz (ID 79669) on 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Sh ell Extensions\Approved\{5E2121EE-0300-11D4-8D3B-444553540000}'

2006-08-28 13:16:06.984 FINEST ProcessSystemCallback Found threat infection: TSPY_Cimuz (ID 79664) on 'HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\'
Sophos comments: http://www.sophos.com/security/analyses/trojcimuzb.html

Quote:
This section contains the description and advanced technical information

Troj/Cimuz-B is is a Trojan for the Windows platform.

The Trojan starts a proxy server allowing remote users to route HTTP traffic
through the infected computer. The Trojan registers itself on several sites to
report the availability of the listening proxy server.

Troj/Cimuz-B includes functionality to access the internet and communicate with
a remote server via HTTP.

When first run Troj/Cimuz-B copies itself to <System>\mdms.exe and creates the
file <System>\winacpi.dll.

The following registry entry is created to run mdms.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SysMemory manager
<System>\mdms.exe

The file winacpi.dll is registered as a COM object, creating registry entries
under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll
Extensions\Approved\(5E2121EE-0300-11D4-8D3B-444553540000)
HKCR\CLSID\(5E2121EE-0300-11D4-8D3B-444553540000)
HKCR\Interface\(5E2121ED-0300-11D4-8D3B-444553540000)
HKCR\TypeLib\(5E2121E1-0300-11D4-8D3B-444553540000)
HKCR\acpi.acpi.1\
HKCR\acpi.ext\

The following registry entry is set:

HKCR\*\shellex\ContextMenuHandlers\sysacpildap
(default)
(5E2121EE-0300-11D4-8D3B-444553540000)

Registry entries are created under:

HKCU\Software\mzs\mdms\mzu\
This is perhaps part of the reason Trend found these registry entires as bad. A google search of
Quote:
5E2121EE-0300-11D4-8D3B-444553540000
Returns about 800 hits on it. If you are running an ATI card, you may wish to read these threads:
http://www.bullguard.com/forum/5/Zubox_18003.html
http://www.wilderssecurity.com/archi...p/t-98909.html

for different programs, spysweeper and spyware doctor, both good anti-spyware programs, but does indicate a false positive is possible.
It is also indicated in this WinPFind2 log, which points to the ATI dll:
http://www.tomcoyote.org/forums/lofi...hp/t66665.html
Quote:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{5E2121EE-0300-11D4-8D3B-444553540000}--------- SimpleShlExt Class = C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll ( [Ver = 1, 0, 0, 1 | Size = 73728 bytes | Date = 10/19/2005 11:17 | Attr = ])
I guess it all comes down to if you have an ATI card installed, if you do could well be a false positive, if not just traces in the registry. You could also use the Sophos link to try and find the files on your C:\ drive, ensure you have showed hidden files and folders, just navigate to the correct places using windows explorer. If the files are not there, neither is the infection.
BTW it is typical for malware to use legitimate registry entries when installing on a system, in an attempt to hide itself from the user, and scanners.
ADd is offline   Reply With Quote