Cosmu
Posted: April 20, 2010
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Ranking: | 16,666 |
---|---|
Threat Level: | 8/10 |
Infected PCs: | 1,654 |
First Seen: | April 20, 2010 |
---|---|
Last Seen: | July 30, 2023 |
OS(es) Affected: | Windows |
Cosmu is a spyware program that uses any of several methods to infiltrate your PC, thereafter targeting passwords and other, potentially profitable data for misappropriation. While Cosmu scarcely is a new PC threat, the appearance of new versions, such as CosmicDuke, cause Cosmu to be an ongoing hazard for anyone who's interested in keeping their information personal, particularly for eastern Europeans. Removing Cosmu, or even finding Cosmu in the first place, is a task best relegated to anti-malware products.
The Cosmology of another Trojan Fusion
Cosmu is a large family of spyware programs that have seen various updates over time, with some of the newest versions including shared loader components with MiniDuke (a backdoor Trojan that may exploit Adobe PDF documents for its distribution). While Cosmu was the original user of this particular Trojan-installing component, its shared use with MiniDuke may indicate that the same persons are in charge of both Trojan families. Like MiniDuke, Cosmu's new versions may be installed via PDF exploits that simultaneously launch legitimate PDF files, which lends an appearance of harmlessness to the attack. Examples of droppers include Ukrainian gas reports and even photo images of Russian receipts.
Once Cosmu is aboard, Cosmu includes more than a few functions for collecting information, as malware experts quickly discovered:
- Cosmu may monitor the system clipboard for any copied, pasted and cut data.
- Cosmu may use a 'keylogger' component to record all keyboard input.
- Cosmu may take screenshots either randomly or as a reaction to determined triggers (such as a browser loading a bank website).
- Specialized spyware components of Cosmu even may target specific applications for account compromise, including instant messengers, e-mail clients and most Web browsers.
Other, general system information, up to and including cryptography-protected data, also may be stolen by Cosmu and uploaded to a third party-controlled server. Even all of this doesn't fully delineate Cosmu's potential attack options; Cosmu also may install other threats with payloads and functions not described in this article.
Backing Down from a Cosmic Trojan's Ride
European nations, particularly ones neighboring Russia, are at highest risk for Cosmu attacks. However, Cosmu also has been seen using distribution methods that target Polish and Turkish PC users. In any case, scanning files dutifully, using strong browser settings and keeping active anti-malware programs remain your most surefire defenses against Cosmu infections. Like MiniDuke, Cosmu's favoritism of PDF exploits also makes it important to update your Adobe software regularly, lest vulnerabilities be abused to your disadvantage.
After anti-malware products of your choice have uninstalled Cosmu, malware researchers also would recommend attending to personal information that may have been compromised. In cases of broad spyware like Cosmu, this means changing passwords and security questions that Cosmu's developers could use to compromise your accounts. However, PC users who bother to practice good security habits are unlikely to be bothered by Cosmu, which doesn't use the highly creative techniques pioneered by other threats to thwart typical security solutions (as can be seen with the Havex RAT, for example).
Aliases
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%SystemDrive%\Program File\Microsoft\MicrosoftSafety.exe
File name: MicrosoftSafety.exeSize: 176.36 KB (176362 bytes)
MD5: 25a74ab84877fe284cf5f98f4fa71d14
Detection count: 372
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Program File\Microsoft
Group: Malware file
Last Updated: March 22, 2017
%SystemDrive%\Program File\Microsoft\MicrosoftSafety.exe
File name: MicrosoftSafety.exeSize: 172.03 KB (172032 bytes)
MD5: 504073a8f6acfa496db99da57cc27708
Detection count: 115
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Program File\Microsoft
Group: Malware file
Last Updated: March 22, 2017
%APPDATA%\WinDefender.exe
File name: WinDefender.exeSize: 150.01 KB (150016 bytes)
MD5: a9e1d2da0568d028dba7de3c78becb08
Detection count: 89
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: November 23, 2010
%LOCALAPPDATA%\Microsoft\Windows\Explorer\0FILIM.exe
File name: 0FILIM.exeSize: 495.61 KB (495616 bytes)
MD5: a9c5a072eb3aea020d66af5d858306fd
Detection count: 89
File type: Executable File
Mime Type: unknown/exe
Path: %LOCALAPPDATA%\Microsoft\Windows\Explorer
Group: Malware file
Last Updated: September 21, 2017
%SystemDrive%\Program File\Microsoft\MicrosoftSafety.exe
File name: MicrosoftSafety.exeSize: 153.79 KB (153794 bytes)
MD5: 46d828dbbd7e4ddd07391009ea04bc49
Detection count: 82
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Program File\Microsoft
Group: Malware file
Last Updated: March 22, 2017
%SystemDrive%\Program File\Microsoft\MicrosoftSafety.exe
File name: MicrosoftSafety.exeSize: 253.95 KB (253952 bytes)
MD5: 0c3446dba1978ef1d01a0f92e4b4b6d3
Detection count: 56
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Program File\Microsoft
Group: Malware file
Last Updated: March 22, 2017
yvvumsp.exe
File name: yvvumsp.exeSize: 59.9 KB (59904 bytes)
MD5: dee64ab7fa00ee9d2315798aba8a98f3
Detection count: 53
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: April 20, 2010
%LOCALAPPDATA%\Microsoft\Windows\Explorer\FILIM.exe
File name: FILIM.exeSize: 471.04 KB (471040 bytes)
MD5: f4bd0ee97c3680f1315f491542d22689
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Path: %LOCALAPPDATA%\Microsoft\Windows\Explorer
Group: Malware file
Last Updated: September 21, 2017
%LOCALAPPDATA%\Microsoft\Windows\Explorer\0.exe
File name: 0.exeSize: 543.15 KB (543157 bytes)
MD5: b709362becd2b2c14300a7356471767d
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Path: %LOCALAPPDATA%\Microsoft\Windows\Explorer
Group: Malware file
Last Updated: September 21, 2017
%LOCALAPPDATA%\Microsoft\Windows\Explorer\FILIM.exe
File name: FILIM.exeSize: 546.81 KB (546816 bytes)
MD5: 6ff064dd743e0413d7c4f964ac8307ec
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: %LOCALAPPDATA%\Microsoft\Windows\Explorer
Group: Malware file
Last Updated: January 19, 2019
file.exe
File name: file.exeSize: 294.91 KB (294912 bytes)
MD5: 2b98b32c40e3f1b05ef0963b217e366b
Detection count: 6
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%LOCALAPPDATA%\Microsoft\Windows\Explorer\FILIM.exe
File name: FILIM.exeSize: 526.33 KB (526336 bytes)
MD5: 7f6d6e8c226bb5f4366edea6672bc0a7
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %LOCALAPPDATA%\Microsoft\Windows\Explorer
Group: Malware file
Last Updated: September 21, 2017
Registry Modifications
Regexp file mask%WINDIR%\SysWOW64\themeuichk.dll
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.