Threat behavior
TrojanDownloader:Win32/Cbeplay.I is a trojan that downloads additional malware. It is often distributed via spam e-mail, either in an attachment or via a link to the trojan.
Installation
Cbeplay.I copies itself to <system folder>\CbEvtSvc.exe and installs itself as a service:
Service name: CbEvtSvc
Display name: CbEvtSvc
Path: <system folder>\CbEvtSvc.exe -k netsvcs
Startup type: Automatic
Payload
Downloads and Executes Arbitrary Files
After installation, Cbeplay.I waits for some time before performing an HTTP POST request to a URL such as http://x.x.x.x/ldr/client02/ldrctl.php. The information in the POST data is basic: the affected machine's operating system version, an identifying value of some kind and the trojan's internal version number. In return the trojan retrieves a list of URLs. Cbeplay.I then attempts to retrieve these URLs, save them to the Application Data directory (e.g. C:\Documents and Settings\<username>\Application Data) and execute them.
Cbeplay.I generally downloads three or four files. It has been observed to download variants of
Win32/Srizbi and
Win32/Rustock, but currently it usually downloads variants of
Win32/Cutwail (a spam bot), Win32/Festeal (an e-mail address harvester) and
Win32/Prefsap (an FTP account password stealer).
It also often downloads malware that installs rogue security products and has been known to install
Win32/Antivirusxp and
Win32/FakeRean in this way. Recently it has downloaded a trojan called Win32/Relbma.A, which may redirect the user's browser to web sites hosting variants of the
Win32/Winfixer family of rogues.
Analysis by Hamish O'Dea
Prevention