Trojan.Cmapp

[Brad]

Trojan.Cmapp is a Trojan Horse that may display advertisements.

When Trojan.Cmapp is executed, it performs the following actions:

   1. May create the following files:

          * %ProgramFiles%\CMAPP\cmappstub.exe
          * %ProgramFiles%\CMAPP\Client\cmappclient.exe
          * %ProgramFiles%\asys\Stb.exe
          * %ProgramFiles%\asys\VFX8.0-1.exe
          * %Windir%\lupd.dat
          * %Windir%\nxui.dat
          * %Windir%\ofxnm.dat
          * %Windir%\sfwv.dat
          * %Windir%\sfxnm.dat
          * %Windir%\tfxnm.dat
          * %Windir%\tmpdlfl.dat
          * %Windir%\uid24.key
          * %Windir%\sysnet.exe
          * %Windir%\snuninst.exe
          * %Windir%\[4 RANDOM CHARACTERS]svc.exe
          * %Windir%\visfxun.exe
          * %UserProfile%\Local Settings\Temp\cmappsetup.exe

            Note:
          * %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
          * %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
          * %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

   2. May create the following files, which may be detected as Trojan.AdClicker:

          * %Windir%\[4 RANDOM CHARACTERS]dll.exe
          * %Windir%\[4 RANDOM CHARACTERS]enc.exe

   3. May create the following files, which may be detected as Adware.CasinoClient:

      %ProgramFiles%\CMAPP\Client\cmappmf.dll

   4. May add the value:

      "[4 RANDOM CHARACTERS]dll" = "%Windir%\[4 RANDOM CHARACTERS]dll.exe"
      "[4 RANDOM CHARACTERS]enc" = "%Windir%\[4 RANDOM CHARACTERS]enc.exe"
      "CMAPP" = ""%ProgramFiles%\CMAPP\Client\cmappclient.exe""
      "Sysnet" = "%Windir%\sysnet.exe"

      to the registry subkey:

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

   5. May create the following registry subkeys:

      HKEY_CURRENT_USER\Software\CMAPP
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sysnet
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisFx

   6. May create a service with the following characteristics:

      Display Name: Windows VisFx Components
      Image Path: %Windir%\[4 random chars]svc.exe
      Description: Windows VisFx Components

   7. Connects to the following URLs to download updates:

          * [http://]consumeralertsystem.com/[REMOVED]/zx-404error.php
          * [http://]64.111.196.237/[REMOVED]/zx-install.php
          * [http://]64.111.196.237/[REMOVED]/zx-tpa.php
          * [http://]64.111.196.237/[REMOVED]/zx-uninstall.php
          * [http://]64.111.196.237/[REMOVED]/zx-config.php
          * [http://]64.111.196.237/[REMOVED]/zx-popup.php
          * [http://]64.111.196.237/[REMOVED]/zx-shortcut.php

   8. Displays advertisements.

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/trojan.cmapp.html

To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
   3. Click OK.
   4. Navigate to the subkey:

      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   5. In the right pane, delete the value:

      "[4 RANDOM CHARACTERS]dll" = "%Windir%\[4 RANDOM CHARACTERS]dll.exe"
      "[4 RANDOM CHARACTERS]enc" = "%Windir%\[4 RANDOM CHARACTERS]enc.exe"
      "CMAPP" = ""%ProgramFiles%\CMAPP\Client\cmappclient.exe""
      "Sysnet" = "%Windir%\sysnet.exe"

   6. Navigate to and delete the following subkeys:

      HKEY_CURRENT_USER\Software\CMAPP
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sysnet
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisFx

   7. Exit the Registry Editor.