How to Prevent and Remove the Trojan.Win32.Cosmu.ajds

1. What is the Trojan.Win32.Cosmu.ajds

Trojan.Win32.Cosmu.xxs (or Mal / SillyFDC-A) is another malicious Trojan, a danger to the security of a computer system is compromised or the network environment. Trojan.Win32.Cosmu.xxs not be taken lightly and has the properties of a serious threat to security. Trojan.Win32.Cosmu.xxs sets the system without the user's knowledge or approval, and simply communicate with a remote server to download other harmful parasites in the infected computer. Symptoms may include a computer screen flipping upside down or backward, and printing of documents or the printer messages. be removed for the safety of your computer, you must Trojan.Win32.Cosmu.xxs immediately.

Alias: W32/Generic.worm!p2p [McAfee], VirTool:Win32/VBInject.gen!DG [Microsoft], Trojan-PWS.Win32.VB [Ikarus]

2.Technical Details:

a. The following files were created in the system:

#	Filename(s)	File Size
1	%AppData%\data.dat	34 bytes
2	%AppData%\File.exe [file and pathname of the sample #1]	327,680 bytes

Note:
- %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

b. Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	77,824 bytes

c. Registry Modifications

The following Registry Keys were created:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7ADABE5D-7EFC-CAAB-DDAD-5EAA7CECFDDF}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
- HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{7ADABE5D-7EFC-CAAB-DDAD-5EAA7CECFDDF}

The newly created Registry Values are:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7ADABE5D-7EFC-CAAB-DDAD-5EAA7CECFDDF}]
  - StubPath = "%AppData%\File.exe"
  so that File.exe runs every time Windows starts
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]
  - scvhost = "%AppData%\File.exe"
  so that File.exe runs every time Windows starts
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  - scvhost = "%AppData%\File.exe"
  so that File.exe runs every time Windows starts
- [HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{7ADABE5D-7EFC-CAAB-DDAD-5EAA7CECFDDF}]
  - StubPath = "%AppData%\File.exe"
  so that File.exe runs every time Windows starts
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  - scvhost = "%AppData%\File.exe"
  so that File.exe runs every time Windows starts

d. Other details

The following port was open in the system:

Port	Protocol	Process
1051	TCP	[file and pathname of the sample #1]

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
67.212.74.83	80
97.104.215.122	81

The data identified by the following URLs was then requested from the remote web server:
- http://api.ipinfodb.com/v2/ip_query_country.php?key=86c9c734428c1230cba1356dcf99dc882bc229bf93fbd6491db4e8776d6d9a88&timezone=off
- http://api.ipinfodb.com/v2/ip_query.php?key=86c9c734428c1230cba1356dcf99dc882bc229bf93fbd6491db4e8776d6d9a88&timezone=off

3. How-to's

a. How to prevent the Trojan.Win32.Cosmu.ajds ?

Please update the policy basic knowledge of Sax2 in time, Once Ax3soft sax2 detects the communication of these trojans, it will break them and ensure your network & business security.

b. How to Remove the Trojan.Win32.Cosmu.ajds Manually?

Step 1 : Use Windows Task Manager to Remove Trojan.Win32.Cosmu.ajds Processes

%AppData%\File.exe

Step 2 : Use Registry Editor to Remove Trojan.Win32.Cosmu.ajds Registry Values

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7ADABE5D-7EFC-CAAB-DDAD-5EAA7CECFDDF}]
StubPath = "%AppData%\File.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]
scvhost = "%AppData%\File.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
scvhost = "%AppData%\File.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{7ADABE5D-7EFC-CAAB-DDAD-5EAA7CECFDDF}]
StubPath = "%AppData%\File.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
scvhost = "%AppData%\File.exe"

Step3: Detect and Delete Other Trojan.Win32.Cosmu.ajds Files

%AppData%\data.dat
%AppData%\File.exe
[file and pathname of the sample #1]

c. How to Remove these trojans Instantly?

Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

4. Appendix

For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm