Checking a server that installs a variant of Trj/Cimuz, I came across a link that pointed to remover.exe file:
After analyzing the code of the file, I noticed that it uninstalled the same variant of Trj/Cimuz that had been previously installed from that very same server.
I suppose this is the way the author uses to make tests in order to check if the Trojan works properly and then, get easily disinfected using the uninstaller.
Posted under Malware Alerts
This post was written by Vicente Martinez on May 30, 2007
