Home / malware Trojan:Win32/Chepdu.P
First posted on 10 May 2019.
Source: MicrosoftAliases :
Trojan:Win32/Chepdu.P is also known as Suspect-02!1E2A1BFFB41C, TROJ_BHO.XL, Trojan.Win32.Agent.cyrs, Adware.CPush.
Explanation :
Trojan:Win32/Chepdu.P is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected machine. Installation Trojan:Win32/Chepdu.P creates the following file(s) on an affected machine:
ctfmon_mp.exe - detected as TrojanDownloader:Win32/Troxen!rts dq20279.dll - detected as Trojan:Win32/Chepdu.P
Note -refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32.
The malware registers the filedq20279.dll, using the Windows utility regsvr32.exe with the /s parameter. Regsvr32.exe is a program that is used to register or unregister a COM (Component Object Model) DLL (dynamic link library). The /s parameter allows regsvr32 to run silently without displaying any messages. This action may result in the following registry modifications: Adds value:"(default)"
With data: "d"
To subkey: HKLMSOFTWAREClassesCLSID{888520A0-2A83-319B-920D-2512699858ED} Adds value:"(default)"
With data: "c:windowssystem32dq20279.dll"
To subkey: HKLMSOFTWAREClassesCLSID{888520A0-2A83-319B-920D-2512699858ED}InprocServer32 Adds value:"(default)"
With data: "d.1"
To subkey: HKLMSOFTWAREClassesCLSID{888520A0-2A83-319B-920D-2512699858ED}ProgID Adds value:"(default)"
With data: "d"
To subkey: HKLMSOFTWAREClassesCLSID{888520A0-2A83-319B-920D-2512699858ED}VersionIndependentProgID Adds value:"(default)"
With data: "{888520a0-2a83-319b-920d-2512699858ed}"
To subkey: HKLMSOFTWAREClassesD.1CLSID Adds value:"(default)"
With data: "{888520a0-2a83-319b-920d-2512699858ed}"
To subkey: HKLMSOFTWAREClassesDCLSID Adds value:"IExplore"
With data: "1"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{888520A0-2A83-319B-920D-2512699858ED} Payload Contacts remote host Trojan:Win32/Chepdu.P may contact a remote host at luckby.cc using port 80. Commonly, malware may contact a remote host for the following purposes: To report a new infection to its author To receive configuration or other data To download and execute arbitrary files (including updates or additional malware) To receive instruction from a remote attacker To upload data taken from the affected computer
This malware description was produced and published using our automated analysis system's examination of file SHA1 0d988a4099eda460a5b747b7b805f9718fc1a1fd. If you would like to comment on this analysis, please send your feedback to mmpc-amd@microsoft.com.Last update 10 May 2019
