TrojanDownloader:Win32/Cbeplay.gen!E is a trojan that may upload computer operating system details to a remote web site and download and execute arbitrary files. This trojan may be distributed via spam e-mail, either directly as a password-protected zip attachment, or indirectly via a link to a remote copy of the trojan.
Installation
When run, this trojan drops a copy of itself into the Windows system folder as either 'CbEvtSvc.exe' or 'CdbgEvtSvc.exe', and registers itself to run as a service at each Windows start. The trojan makes the following registry modifications when creating its service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc
or
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CdbgEvtSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CDBGEVTSVC
The service runs at Windows start with a Display Name of 'CbEvtSvc', with the following parameters:
'%SystemRoot%\System32\CbEvtSvc.exe -k netsvcs
or
"%SystemRoot%\System32\CdbgEvtSvc.exe -k netsvcs"
Payload
Sends Computer Information
This trojan may generate a system information report, and then upload the gathered information to a remote server, presumably for an attacker's benefit. Gathered details can include for example, operating system version information, user name, location and others. This is done via an HTTP POST command using a script found on the remote server.
Remote Access Control
TrojanDownloader:Win32/Cbeplay.gen!E may send an HTTP Post request to a remote server and execute a server-side PHP script, which allows the remote attacker full control over the infected computer.
Downloads and Executes Arbitrary Files
This trojan may download additional files, from other malicious sites. These files may include additional malware. In the wild, we have observed Cbeplay downloading variants of the Win32/Rustock family of trojans. For more information on Win32/Rustock, please see elsewhere in this
encyclopedia.
Additional Information
We have received reports that this trojan has been distributed indirectly via a spam e-mail that masqueraded as the CNN.com Daily Top 10. Rather than linking to the CNN Top 10 stories, the links provided in the e-mail directed users to a remote copy of the trojan. In these cases the trojan may have been distributed with the following filenames:
adobe_flash.exe
scaner.exe