Home / malware Trojan:Win32/Carberp.I
First posted on 17 February 2015.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Carberp.I.
Explanation :
Threat behavior
Installation
This malware can install itself to the following locations:
- %ProgramFiles%\NVIDIA Corporation\Updates
- %ProgramFiles%\NVIDIA Corporation\Update Center
We have seen it use the following file names:
- nvupd32.exe
- NvdUpd.exe
It creates the following registry entry:
In subkey: HKCU\Software\NVIDIA Corporation\Global\nvUpdSrv
Sets value: "value"
With data: "", for example "14141127" or "20140524"
It might create a service that runs when your PC starts with the following name:
- NVIDIA Update Server
Payload
Connects to a remote host
The malware connects to a remote site using a random TCP port. For example, we have seen it connect to the following sites:
- 31.132.4.254 from port 44945
- 89.35.149.198 from port 35535
- 89.187.132.9 from port 26175
- 108.163.235.162 from port 51863
- 109.104.94.2 from port 11754
It connects to the remote site to do any of the following:
- Check for an Internet connection.
- Download and run other files, including other malware. The files are saved to %TEMP% with a random file name.
- Report a new infection to its author.
Additional information
This threat can create the mutex Global\MD7H82HHF7EH2D73.
Analysis by James Dee
Symptoms
The following can indicate that you have this threat on your PC:
- You have these files:
- nvupd32.exe
- NvdUpd.exe
- You see these entries or keys in your registry:
In subkey: HKCU\Software\NVIDIA Corporation\Global\nvUpdSrv
Sets value: "value"
With data: "", for example "14141127" or "20140524" Last update 17 February 2015
