Press Release: Malware Masquerading as Chasys Draw IES Viewer

A while back, it came to my attention that there is a piece of malware doing the rounds that incorporates some component hijacked from an older version of Chasys Draw IES.

 

The first time this was reported to me, I worked closely with the affected individual to find the root cause. I discovered that their computer was infected by a new malware that calls itself “managefm”.

 

I reported my findings to VirusTotal and Avira; I’m hoping that action will be taken.

 

This malware, Managefm, seems to hijack executables from older versions of legitimate software, which it then tries to manipulate to do its bidding. In this case, it had taken over a legitimate executable that is part of an older version of my software Chasys Draw IES.

 

From what I discovered while working with the aforementioned person, I was able to offer them a solution, which is described below. It is unfortunate that we live in a world where some people see no problem with damaging the reputation of others by misusing their legitimate work to develop malware, and, if you are reading this and have been affected by Managefm, I’m sorry that your first interaction with my software has been through this unfortunate attack against your computer.

 

The Solution:

 

If you go to Task Scheduler on your computer, you will find these three scheduled tasks, pointing to the listed executables:

• “genius.exe” pointing to “C:\Users\<username>\AppData\Roaming\genius.exe”,
• “nodehost_alpha” pointing to “C:\ProgramData\Managefm\Data_Module64.exe”, and,
• “uak_Svc_alpha” pointing to “C:\ProgramData\Managefm\Data_Module64.exe”

 

You need to “End Task” (via Task Manager) all instances of the malware. End all instances of “genius.exe”, “DynamicAge64.exe” and “Data_Module64.exe”.

 

 

Next, you need to delete the malware files. Delete all of the following:

• The file “C:\Users\<username>\AppData\Roaming\genius.exe”,
• The file “C:\Users\<username>\AppData\Local\Temp\DynamicAge64.exe”, and,
• The folder “C:\ProgramData\Managefm\” and everything in it.

Lastly, you need to delete all the 3 scheduled tasks listed above, i.e.

• “genius.exe” pointing to “C:\Users\<username>\AppData\Roaming\genius.exe”,
• “nodehost_alpha” pointing to “C:\ProgramData\Managefm\Data_Module64.exe”, and,
• “uak_Svc_alpha” pointing to “C:\ProgramData\Managefm\Data_Module64.exe”

 

This will clear the malware. It is not known to me how the malware gets into the computers in the first place, but my suspicion is that the means of infection has to be something basic given the simplicity of the malware.

 

I’m reaching out to antivirus vendors again to get this analyzed further and possibly flagged.

 

John Paul Chacha,
Author of Chasys Photo and Chasys Draw IES.