Home / malware Trojan:Win32/Chepdu.B
First posted on 31 March 2019.
Source: MicrosoftAliases :
Trojan:Win32/Chepdu.B is also known as Trojan.Generic.344082, Trojan.Win32.BHO.eek, Adware-BHO.gen.b, Downloader.Trojan.
Explanation :
Trojan:Win32/Chepdu.B is a trojan that is dropped and installed by TrojanDropper:Win32/Chepdu.A as a BHO (Browser Helper Object). It prevents access to certain websites, generates unwanted popups and may redirect searches and report statistics back to a remote server. InstallationTrojan:Win32/Chepdu.B is installed by TrojanDropper:Win32/Chepdu.A as the file %windir%xml2u32h.dll. This DLL file is then loaded every time explorer.exe is run. It is registered as a BHO by creating the following registry keys and its associated entries: HKLMSOFTWAREClassesCLSID{72A128E0-2240-40c8-9E92-5387D64F839E}
HKLMSOFTWAREClassesTypeLib{6D0111E3-3060-4D23-B2BC-42ED86CBE9A3}
HKLMSOFTWAREClassesXMLLIB.XMLDP
HKLMSOFTWAREClassesXMLLIB.XMLDP.1
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{72A128E0-2240-40c8-9E92-5387D64F839E}
HKLMSOFTWAREClassesInterface{B1E68D42-02C4-465B-8368-5ED9B732E22D} It also creates the mutex "dpechu". Payload Connects to Certain WebsitesTrojan:Win32/Chepdu.B connects to the following websites to generate unwanted popups: xmlwindataweb.net your-searcher.net exact-results.net Analysis by Patrik VicolLast update 31 March 2019
