Home / malware TrojanDownloader:Win32/Chekafe.B
First posted on 08 February 2010.
Source: SecurityHomeAliases :
TrojanDownloader:Win32/Chekafe.B is also known as Trojan-Downloader.Win32.Small.kjo (Kaspersky), Win32/TrojanDownloader.Chekafe.A (ESET).
Explanation :
TrojanDownloader:Win32/Chekafe.B is a trojan that downloads and executes arbitrary files from a remote host.
Top
TrojanDownloader:Win32/Chekafe.B is a trojan that downloads and executes arbitrary files from a remote host.
Installation
Upon execution, TrojanDownloader:Win32/Chekafe.B modifies the system registry as a mark of its successful installation: Adds value: "ListVer" With data: "1.0" To subkey: HKLM\Software\CPACOPayload Downloads and executes arbitrary files TrojanDownloader:Win32/Chekafe.B connects to remote hosts in order to download a configuration file to the affected computer. In the wild, TrojanDownloader:Win32/Chekafe.B has been observed to contact the following host for this purpose:cocolist.productso.cn This downloaded configuration file is saved to %Program Files%/nowlist.dat. It contains a list of URLs from which to download and execute files. At the time of writing, the files observed to be downloaded in this manner are online game password stealer trojans, including the following: PWS:Win32/Frethog.AD PWS:Win32/Lolyda.AO PWS:Win32/Frethog.AR PWS:Win32/Frethog.AU PWS:Win32/OnLineGames.GP TrojanDownloader:Win32/Chekafe.B also attempts to download another executable file from the following domain, which is detected as Trojan:Win32/Chekafe.A: gova.0891e.com.cn Stop system service TrojanDownloader:Win32/Chekafe.B attempts to stop the "sharedaccess" service to disable Windows Firewall/Internet Connection Sharing.
Analysis by Chun FengLast update 08 February 2010
