Follow:

You have been re-routed to the TrojanDownloader:Win32/Cbeplay.P write up because TrojanDownloader%253aWin32%252fCbeplay.P has been renamed to TrojanDownloader:Win32/Cbeplay.P
 

TrojanDownloader:Win32/Cbeplay.P


TrojanDownloader:Win32/Cbeplay.P is a trojan that contacts a remote host in order to download and execute arbitrary files, and send information about the infected computer. It may also disable security settings.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

TrojanDownloader:Win32/Cbeplay.P is a trojan that contacts a remote host in order to download and execute arbitrary files, and send information about the infected computer. It may also disable security settings.

Installation

This trojan may be distributed via spam email, either directly as a password-protected .zip attachment, or indirectly via a link to a remote copy of the trojan. It may arrive as an attachment on spam emails containing any of the following messages:

Example 1

From: "DHL MANAGER 692" <<removed>@dhl.com>
To: <target_email>
Subject: DHL id. 3190264

Body:
 GOOD DAY!
 Dear Consumer , Delivery Confirmation: FAILED
 Print out the invoice copy attached and collect the package at our department
 With best regards , DHL .com Customer Services

Attachment:
 DHL_log-X69461.zip

Example 2

From: <Sender_email>
To: <Recipient_email>
Subject: Response to my letter, I implore you. I can not do without you.

Body:
 You are currently registered as: lonelywivesdatingclub <dot> com
 
 - Age: 22
 - Neme: Evon
 - Seeking: A Male. Group 23-47
 - Status: ONLINE
 - Service: lonelywivesdatingclub. com  2900 Girls Currently Online
 - Fotos: 8 fotos in attached file.
 - Title: "Christina's Profile
 
 Well i love going to amusment parks i love puppys and i have no kids but want some i dont smoke or drink i love to party and i USED to dance exotic. "

Attachment:
 PhotoY2442465095.zip

Example 3

From: "MC MANAGER 57" <manager<removed>@mastercard.com>
To: <Recipient_email>
Subject:  Your credit card has been blocked

Body:
 Dear Customer,
 
 Your credit card has been blocked!
 With your credit card was removed $ 3718,0
 Possibly illegal operation!
 More information in the attached file.
 Immediately contact your bank .
 
 Best Wishes,
 MASTER CARD Services.

Attachment:
 <random filename>.zip

As part of its installation process, the trojan also injects its code into the legitimate svchost.exe; the injected code will continue to run (download routine) while the code injector (setup routine) will terminate.  

Payload

Downloads and executes arbitrary files

TrojanDownloader:Win32/Cbeplay.P may connect to a remote server in order to download and execute additional files.

Contacts remote hosts 

The trojan may contact a remote host at 96.126.105.21 via HTTP POST in order to send the following information about the infected computer:

  • Operating system version information
  • Terminal service configuration
  • Software restriction policies
  • System and desktop configuration
  • Network domain and computer name
  • Internet Explorer configuration
  • List of print jobs in target printers
  • Hardware profile for the local computer
  • Geographical location of the user

Allows backdoor access and control 

TrojanDownloader:Win32/Cbeplay.P can send an HTTP POST request to a remote server, and execute a server-side PHP script, which allows the remote attacker full access and control over the infected computer.

Terminates security processes

The trojan checks for the presence of security software WIRESHARK.EXE, and if found, will terminate this process.

Analysis by Zarestel Ferrer


Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.


Prevention


Alert level: Severe
First detected by definition: 1.111.2117.0
Latest detected by definition: 1.187.8.0 and higher
First detected on: Sep 13, 2011
This entry was first published on: Sep 13, 2011
This entry was updated on: Oct 04, 2011

This threat is also detected as:
No known aliases