Home / malware Trojan.Downloader.Exchanger.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Downloader.Exchanger.A is also known as TR/Crypt.FKM.Gen, Dialer.gen14.
Explanation :
This malware spreads by tricking users into clicking on links and executing the applications downloaded from those links. The link arrives in unsolicited bulk e-mails (SPAM) which promise explicit videos of celebrities. Currently two such e-mails have been observed:
New naked Britney video
Paris Hilton New Video Auditioning ToplessThe links included in these e-mails use an open redirect from Google to mask the true destination. This means that when the users inspects the link, she will see a link to Google (which she will probably trust), however Google in turn redirects to the site specified as parameter in the URL (it seems that Google uses these types of URL's to redirect users who click on advertisement served up by Google's AdSense program, however insufficient parameter validation means that malware authors can modify the URL and use it to redirect users to arbitrary sites).
Once installed the malware will copy itself in the system directory (C:WindowsSystem32 on the default Windows XP installation) with the name CbEvtSvc.exe and register itself as a system service. After installation it contacts the original server and requests a lists of files to be downloaded through an encrypted SSL connection. Currently it downloads two additional files:
A version of the Srizbi trojan (detected as Trojan.Srizbi.AS) which contains a kernel mode driver with rootkit and spamming functionalityA trojan (detected as Generic.Mydoom.7C3714C0) which scans the infected machine's hard-drive for e-mail addresses and sends them back to a central serverLast update 21 November 2011