Encyclopedia entry
Updated: Oct 04, 2011 | Published: Sep 13, 2011
Aliases
Not available
Alert Level (?)
Severe
Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Updated: Oct 04, 2011 | Published: Sep 13, 2011
Aliases
Not available
Alert Level (?)
Severe
Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
| Detection last updated: Definition: 1.121.1236.0 Released: Mar 09, 2012 | Detection initially created: Definition: 1.111.2117.0 Released: Sep 13, 2011 |
Summary
TrojanDownloader:Win32/Cbeplay.P is a trojan that contacts a remote host in order to download and execute arbitrary files, and send information about the infected computer. It may also disable security settings.
Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.
Technical Information (Analysis)
TrojanDownloader:Win32/Cbeplay.P is a trojan that contacts a remote host in order to download and execute arbitrary files, and send information about the infected computer. It may also disable security settings.
Installation
This trojan may be distributed via spam email, either directly as a password-protected .zip attachment, or indirectly via a link to a remote copy of the trojan. It may arrive as an attachment on spam emails containing any of the following messages:
Example 1
From: "DHL MANAGER 692" <<removed>@dhl.com>
To: <target_email>
Subject: DHL id. 3190264
To: <target_email>
Subject: DHL id. 3190264
Body:
GOOD DAY!
Dear Consumer , Delivery Confirmation: FAILED
Print out the invoice copy attached and collect the package at our department
With best regards , DHL .com Customer Services
GOOD DAY!
Dear Consumer , Delivery Confirmation: FAILED
Print out the invoice copy attached and collect the package at our department
With best regards , DHL .com Customer Services
Attachment:
DHL_log-X69461.zip
DHL_log-X69461.zip
Example 2
From: <Sender_email>
To: <Recipient_email>
Subject: Response to my letter, I implore you. I can not do without you.
To: <Recipient_email>
Subject: Response to my letter, I implore you. I can not do without you.
Body:
You are currently registered as: lonelywivesdatingclub <dot> com
- Age: 22
- Neme: Evon
- Seeking: A Male. Group 23-47
- Status: ONLINE
- Service: lonelywivesdatingclub. com 2900 Girls Currently Online
- Fotos: 8 fotos in attached file.
- Title: "Christina's Profile
Well i love going to amusment parks i love puppys and i have no kids but want some i dont smoke or drink i love to party and i USED to dance exotic. "
You are currently registered as: lonelywivesdatingclub <dot> com
- Age: 22
- Neme: Evon
- Seeking: A Male. Group 23-47
- Status: ONLINE
- Service: lonelywivesdatingclub. com 2900 Girls Currently Online
- Fotos: 8 fotos in attached file.
- Title: "Christina's Profile
Well i love going to amusment parks i love puppys and i have no kids but want some i dont smoke or drink i love to party and i USED to dance exotic. "
Attachment:
PhotoY2442465095.zip
PhotoY2442465095.zip
Example 3
From: "MC MANAGER 57" <manager<removed>@mastercard.com>
To: <Recipient_email>
Subject: Your credit card has been blocked
To: <Recipient_email>
Subject: Your credit card has been blocked
Body:
Dear Customer,
Your credit card has been blocked!
With your credit card was removed $ 3718,0
Possibly illegal operation!
More information in the attached file.
Immediately contact your bank .
Best Wishes,
MASTER CARD Services.
Dear Customer,
Your credit card has been blocked!
With your credit card was removed $ 3718,0
Possibly illegal operation!
More information in the attached file.
Immediately contact your bank .
Best Wishes,
MASTER CARD Services.
Attachment:
<random filename>.zip
<random filename>.zip
As part of its installation process, the trojan also injects its code into the legitimate svchost.exe; the injected code will continue to run (download routine) while the code injector (setup routine) will terminate.
Payload
Downloads and executes arbitrary files
TrojanDownloader:Win32/Cbeplay.P may connect to a remote server in order to download and execute additional files.
Contacts remote hosts
The trojan may contact a remote host at 96.126.105.21 via HTTP POST in order to send the following information about the infected computer:
- Operating system version information
- Terminal service configuration
- Software restriction policies
- System and desktop configuration
- Network domain and computer name
- Internet Explorer configuration
- List of print jobs in target printers
- Hardware profile for the local computer
- Geographical location of the user
Allows backdoor access and control
TrojanDownloader:Win32/Cbeplay.P can send an HTTP POST request to a remote server, and execute a server-side PHP script, which allows the remote attacker full access and control over the infected computer.
Terminates security processes
The trojan checks for the presence of security software WIRESHARK.EXE, and if found, will terminate this process.
Analysis by Zarestel Ferrer
Žádné komentáře:
Okomentovat