TrojanDownloader:Win32/Cbeplay.I is a trojan that downloads additional malware. It is often distributed via spam e-mail, either in an attachment or via a link to the trojan.
Cbeplay.I copies itself to <system folder>\CbEvtSvc.exe and installs itself as a service:
Service name: CbEvtSvc
Display name: CbEvtSvc
Path: <system folder>\CbEvtSvc.exe -k netsvcs
Startup type: Automatic
Downloads and Executes Arbitrary Files
After installation, Cbeplay.I waits for some time before performing an HTTP POST request to a URL such as http://x.x.x.x/ldr/client02/ldrctl.php. The information in the POST data is basic: the affected machine's operating system version, an identifying value of some kind and the trojan's internal version number. In return the trojan retrieves a list of URLs. Cbeplay.I then attempts to retrieve these URLs, save them to the Application Data directory (e.g. C:\Documents and Settings\<username>\Application Data) and execute them.
Cbeplay.I generally downloads three or four files. It has been observed to download variants of Win32/Srizbi
, but currently it usually downloads variants of Win32/Cutwail
(a spam bot), Win32/Festeal (an e-mail address harvester) and Win32/Prefsap
(an FTP account password stealer).
It also often downloads malware that installs rogue security products and has been known to install Win32/Antivirusxp
in this way. Recently it has downloaded a trojan called Win32/Relbma.A, which may redirect the user's browser to web sites hosting variants of the Win32/Winfixer
family of rogues.
Analysis by Hamish O'Dea
The following system changes may indicate the presence of this malware: