Home / malwarePDF  

TrojanDownloader:Win32/Cekar.gen!A


First posted on 15 April 2019.
Source: Microsoft

Aliases :

TrojanDownloader:Win32/Cekar.gen!A is also known as Trojan.Killav-132, Win32/Mypis.L, Worm.Win32.AutoRun.br, W32/Cekar, Mal/GamePSW-C, W32.Mumawow.F, PE_MUMAWOW.AO-O, Worm.Win32.Anilogo.

Explanation :

TrojanDownloader:Win32/Cekar.gen!A is a file that may be dropped by Virus:Win32/Cekar variants. Malware detected with this name may vary in functionality, but this can include spreading via logical and removable drives, and/or downloading and executing arbitrary files.An example of the behavior of one such file, dropped by Virus:Win32/Cekar.B and detected as TrojanDownloader:Win32/Cekar.gen!A can be seen below.  InstallationIn this example, TrojanDownloader:Win32/Cekar.gen!A is dropped by Virus:Win32/Cekar.B to %windir%systemlogogogo.exe. The registry is then modified to run this file at each Windows start: Adds value: logogoWith data: "%windir%systemlogogogo.exe"To subkey: HKEY_LOCAL_MACHINESoftWareMicrosoftWindowsCurrentVersionRun Win32/Cekar.A!gen may also modify numerous registry values associated with the Windows debugger in order to run its executable when particular files are executed. For example:Modifies value: DebuggerWith value: "%windir%systemlogogogo.exe"In subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsF-PROT95.EXE
Modifies value: DebuggerWith value: %windir%systemlogogogo.exe"In subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsF-PROT.EXE
Modifies value: DebuggerWith value: %windir%systemlogogogo.exe"In subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsF-AGNT95.EXE Spreads Via… Logical and Removable DrivesIn this instance, Win32/Cekar.A!gen spreads to logical and removable drives. The worm copies itself to available drives as 'xp.exe'. Upon copying itself to a drive, the worm creates a file named 'autorun.inf' also in the root of the drive. The autorun.inf file contains execution instructions for the operating system, which are invoked when the drive is viewed using Windows Explorer. It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs. Payload Downloads FilesWin32/Cekar.A!gen may attempt to download files from remote Web sites. Analysis by Patrick Nolan

Last update 15 April 2019

 

TOP

Malware :

Family: