Home / malware TrojanDownloader:Win32/Cbeplay.gen!A
First posted on 06 July 2009.
Source: SecurityHomeAliases :
TrojanDownloader:Win32/Cbeplay.gen!A is also known as Also Known As:Win32/Cbeplay.C (CA), Trojan.Crypt.XPACK.DEC (VirusBuster), Win32/Wigon.LE (ESET), :Adware/MalwareDoctor (Panda).
Explanation :
TrojanDownloader:Win32/Cbeplay.gen!A is a trojan that downloads other files. It also steals information about the system, which it then sends to a remote site.
Symptoms
System changesThe following system changes may indicate the presence of this malware:The presence of the following registry modification:
Added value: "Cookie"
With data: "208"
Under subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionTaskManager
TrojanDownloader:Win32/Cbeplay.gen!A is a trojan that downloads other files. It also steals information about the system, which it then sends to a remote site.
Installation
Upon execution, TrojanDownloader:Win32/Cbeplay.gen!A may drop itself in the Windows system folder using a random file name, for example, 'avast!antivirus.exe'. It may register itself as a service that automatically runs every time Windows starts: Adds value: "ImagePath"
With data: "<system folder><malware file name> -k netsvcs"
To subkey: HKLMSYSTEMControlSet001Services<name> For example: Adds value: "ImagePath"
With data: "<system folder>avast!antivirus.exe -k netsvcs"
To subkey: HKLMSYSTEMControlSet001Servicesavast!antivirus It also creates the following registry entry: Adds value: "Cookie"
With data: "208"
Under subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionTaskManager
Payload
Downloads other filesTrojanDownloader:Win32/Cbeplay.gen!A connects to 'malwareconf.info' to download other files, which may be malware. It also sends information it has gathered from the system, such as its operating system version and its geographical location.
Analysis by Andrei Florin SaygoLast update 06 July 2009
