Home / malware Adware.Cinmus
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Adware.Cinmus.
Explanation :
When executed the virus drops the following files:
%WINDOWS%system32driversacpidisk.sys %WINDOWS%system32mprmsgse.axz
%WINDOWS%system32mscpx32r.det
Creates the following registry keys:
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{385AB8C6-FB22-4D17-8834-064E2BA0A6F0} HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowserHelperObjects{385AB8C6-FB22-4D17-8834-064E2BA0A6F0} HKEY_LOCAL_MACHINESYSTEMCurrentControlSet Servicesacpidisk
By creating a key in HKEY_LOCAL_MACHINESYSTEMCurrentControlSet Services the virus ensures that the system will load the driver acpidisk.sys on reboot. When acpidisk is executed it drops the file winlib.dll in %windows%system32. It then injects the dll in winlogon. From now on acpidisk.sys will intercept the creation of every process and set an event each time it detects that Internet Explorer has been started.
When winlib.dll is executed it creates a copy of itself in %Temp% with the name ~my[unique number].tmp. It then deletes the original file and the execution continues with the file running from the %Temp% folder. It then downloads pctools.dll from [hide].chnsystem.com and saves it to %Temp%.
Pctools.dll is the dll that shows the popups. When executed it checks that it is running from internet explorer (it also starts with explorer.exe) and that the operating system is newer than windows 2000;
It then start to show popups at random time intervals form sites like
zuoyoukong[hidden].comyiq[hidden].com51[hidden].comLast update 21 November 2011
