F-Secure
Tools
Adware:W32/Cinmus
| Name : | Adware:W32/Cinmus |
| Detection Names : |
Adware.Win32.Cinmus |
| Aliases : |
Trojan:W32/Cinmeng (Microsoft) Trojan.Cinmeng (Symantec) |
| Category: | Spyware |
| Type: | Adware |
| Platform: | W32 |
Summary
This program delivers advertising content to the user in a manner or context that may be unexpected and/or unwanted. It is usually annoying but harmless, unless it is combined with spyware or trackware.
Additional Details
Cinmus.gen detects multiple variants and components of the Cinmus adware family.
Members of this family attempt to contact remote sites and display pop-up advertisements. The following are examples of possible sites Cinmus adware can connect too:
Specific variants may differ in details, such as filenames and the remote sites it contacts.
Installation
On infection, an initial driver component is dropped and registered as a driver, usually with the name acpidisk.sys. This driver creates a DLL with a TMP extension in the Windows %temp% folder, and then injects the DLL into a process.
The DLL then downloads the adware's main component from a remote site, usually from the domain chnsystem.com. The main component of Cinmus is a DLL installed as a Browser Helper Object (BHO) in Microsoft Internet Explorer.
The BHO's filename varies widely between variants. The files are usually installed to the %system32% folder. Configuration and/or data files are also dropped to the same folder, with the extensions SRG and AXZ.
Members of this family attempt to contact remote sites and display pop-up advertisements. The following are examples of possible sites Cinmus adware can connect too:
• http://login.zuoyoukongjuan.com
• http://client.zuoyoukongjian.com
• http://al.zuoyoukongjian.com
Specific variants may differ in details, such as filenames and the remote sites it contacts.
Installation
On infection, an initial driver component is dropped and registered as a driver, usually with the name acpidisk.sys. This driver creates a DLL with a TMP extension in the Windows %temp% folder, and then injects the DLL into a process.
The DLL then downloads the adware's main component from a remote site, usually from the domain chnsystem.com. The main component of Cinmus is a DLL installed as a Browser Helper Object (BHO) in Microsoft Internet Explorer.
The BHO's filename varies widely between variants. The files are usually installed to the %system32% folder. Configuration and/or data files are also dropped to the same folder, with the extensions SRG and AXZ.