Follow:

 

TrojanDownloader:Win32/Cbeplay.E


TrojanDownloader:Win32/Cbeplay.gen!E is a trojan that may upload computer operating system details to a remote web site and download and execute arbitrary files. This trojan may be distributed via spam e-mail, either directly as a password-protected zip attachment, or indirectly via a link to a remote copy of the trojan.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

TrojanDownloader:Win32/Cbeplay.gen!E is a trojan that may upload computer operating system details to a remote web site and download and execute arbitrary files. This trojan may be distributed via spam e-mail, either directly as a password-protected zip attachment, or indirectly via a link to a remote copy of the trojan.
Installation
When run, this trojan drops a copy of itself into the Windows system folder as either 'CbEvtSvc.exe' or 'CdbgEvtSvc.exe', and registers itself to run as a service at each Windows start. The trojan makes the following registry modifications when creating its service:
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc 
or
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CdbgEvtSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CDBGEVTSVC
 
The service runs at Windows start with a Display Name of 'CbEvtSvc', with the following parameters:
'%SystemRoot%\System32\CbEvtSvc.exe -k netsvcs
or
"%SystemRoot%\System32\CdbgEvtSvc.exe -k netsvcs"
Payload
Sends Computer Information
This trojan may generate a system information report, and then upload the gathered information to a remote server, presumably for an attacker's benefit. Gathered details can include for example, operating system version information, user name, location and others. This is done via an HTTP POST command using a script found on the remote server.
 
Remote Access Control
TrojanDownloader:Win32/Cbeplay.gen!E may send an HTTP Post request to a remote server and execute a server-side PHP script, which allows the remote attacker full control over the infected computer.
 
Downloads and Executes Arbitrary Files
This trojan may download additional files, from other malicious sites. These files may include additional malware. In the wild, we have observed Cbeplay downloading variants of the Win32/Rustock family of trojans. For more information on Win32/Rustock, please see elsewhere in this encyclopedia.
 
Additional Information
We have received reports that this trojan has been distributed indirectly via a spam e-mail that masqueraded as the CNN.com Daily Top 10. Rather than linking to the CNN Top 10 stories, the links provided in the e-mail directed users to a remote copy of the trojan. In these cases the trojan may have been distributed with the following filenames:
adobe_flash.exe
scaner.exe

Symptoms

System Changes
The following system changes may indicate the presence of TrojanDownloader:Win32/Cbeplay.gen!E:
  • Presence of these files:
    %SystemRoot%\System32\CdbgEvtSvc.exe
    %SystemRoot%\System32\CbEvtSvc.exe
  • Presence of the following registry subkeys:
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CBEVTSVC
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CdbgEvtSvc
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CDBGEVTSVC

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.45.287.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Aug 13, 2008
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Trojan:Win32/Tibs.gen!K (Microsoft)
  • BackDoor-DNM (McAfee)