Ccsetmngr.exe virus

This, the smaller of the two files, appears to be a standalone exploit tool that attempts to infect a target machine via one of several variations of the WINS exploit. Once infected, the target machine is told to connect back to a machine where perhaps a shell is opened and input awaited. Expanding on the usage message above, we find these options provided by the program.

Helpfully, both "dash" and "slash" notation are supported e. The code appears to contain no locally-dangerous code e. We pointed it to a port-capture program to collect the various binary data patterns sent by the tool. The code mentions " sending a carsh packet ", but it very well may be a misspelling of " crash ".

Curiously, the " CN" and " EN" attacks send the same pair of packets, and the code confirms that there is no difference between them. This looks like a bug. We've not dug into the exploit details themselves, but we'd not be surprised if it used a variant of the exploit posted by K-Otik. We have captured all the data patterns sent to all the target types, and with the exception of the connect-back IP address and port, the rest of the patterns appear to be fixed. The connect-back IP address is in four bytes starting at offset 0x, and it's XOR'd with the pattern 0x The port number is in two bytes starting at 0x, also XOR'd with 0x The example shown here is set with We expect that these could be used to create capture patterns for the snort Intrusion Detection System.

Note that these. We have not researched the contents of the attack packets to any degree, though they are likely based on exploit code that has been published already. The Trojan itself contains in its data section a full copy of the above ccSetMngr program, and it drops it when it lands somewhere. This very well could be some standard Trojan framework: those who recognize it are encouraged to let us know. The program is almost entirely one function: WinMain is huge with more than local labels at the machine-code level , and it uses more than k of local stack.

It looks exceptionally sloppy. It is designed to run standalone or as a service, and the command line guides this. When run with " install ", it installs itself as an auto-start service named " NetTcpd ", and it uses its own file as the service executable. If the command line option is " remove ", it uninstalls the service and exits. EXE gcasServ.

Steals Sensitive Data. C may log credentials, and gather other information when affected users visit sites with the following strings in the browser title bar, or URL:.

After capturing logon credentials and other sensitive information, the Trojan attempts to submit the capture log to an e-mail address using SMTP. The capture log could include any or all of the following details:. C has a file size range between Mb. C installation:. The presence of a Mb file, possibly named 'Windows Sudden termination of any of the following programs or services: ashdisp.

The packed size is kilybytes, the unpacked size is about kilobytes. Javascript is disabled in your web browser For full functionality of this site it is necessary to enable JavaScript.

Classification Category :. Type :. Aliases :. Summary A standalone malicious program which uses computer or network resources to make complete copies of itself. Removal Automatic action Suspect a file is incorrectly detected a False Positive? Automatic action Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it. Suspect a file is incorrectly detected a False Positive?

If you wish, you may also: Check for the latest database updates First check if your F-Secure security program is using the latest detection database updates , then try scanning the file again.

Submit a sample After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

Exclude a file from further scanning If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

For more Support Community Find the latest advice in our Community. User Guide See the user guide for your product on the Help Center. Contact Support Chat with or call an expert for help.