Follow:

 

TrojanDownloader:Win32/Cbeplay.gen!A


TrojanDownloader:Win32/Cbeplay.gen!A is a trojan that downloads other files. It also steals information about the system, which it then sends to a remote site.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

TrojanDownloader:Win32/Cbeplay.gen!A is a trojan that downloads other files. It also steals information about the system, which it then sends to a remote site.
Installation
Upon execution, TrojanDownloader:Win32/Cbeplay.gen!A may drop itself in the Windows system folder using a random file name, for example, 'avast!antivirus.exe'.
 
It may register itself as a service that automatically runs every time Windows starts:
 
Adds value: "ImagePath"
With data: "<system folder>\<malware file name> -k netsvcs"
To subkey: HKLM\SYSTEM\ControlSet001\Services\<name>
 
For example:
 
Adds value: "ImagePath"
With data: "<system folder>\avast!antivirus.exe -k netsvcs"
To subkey: HKLM\SYSTEM\ControlSet001\Services\avast!antivirus
 
It also creates the following registry entry:
 
Adds value: "Cookie"
With data: "208"
Under subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\TaskManager
Payload
Downloads other files
TrojanDownloader:Win32/Cbeplay.gen!A connects to 'malwareconf.info' to download other files, which may be malware. It also sends information it has gathered from the system, such as its operating system version and its geographical location.
 
Analysis by Andrei Florin Saygo

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following registry modification:
    Added value: "Cookie"
    With data: "208"
    Under subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\TaskManager

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Jun 30, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win32/Cbeplay.C (CA)
  • Trojan.Crypt.XPACK.DEC (VirusBuster)
  • Win32/Wigon.LE (ESET)
  • :Adware/MalwareDoctor (Panda)