Follow:

 

TrojanDownloader:Win32/Cbeplay.I


TrojanDownloader:Win32/Cbeplay.I is a trojan that downloads additional malware. It is often distributed via spam e-mail, either in an attachment or via a link to the trojan.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

TrojanDownloader:Win32/Cbeplay.I is a trojan that downloads additional malware. It is often distributed via spam e-mail, either in an attachment or via a link to the trojan.
Installation
Cbeplay.I copies itself to <system folder>\CbEvtSvc.exe and installs itself as a service:
Service name: CbEvtSvc
Display name: CbEvtSvc
Path: <system folder>\CbEvtSvc.exe -k netsvcs
Startup type: Automatic
Payload
Downloads and Executes Arbitrary Files
After installation, Cbeplay.I waits for some time before performing an HTTP POST request to a URL such as http://x.x.x.x/ldr/client02/ldrctl.php. The information in the POST data is basic: the affected machine's operating system version, an identifying value of some kind and the trojan's internal version number. In return the trojan retrieves a list of URLs. Cbeplay.I then attempts to retrieve these URLs, save them to the Application Data directory (e.g. C:\Documents and Settings\<username>\Application Data) and execute them.
 
Cbeplay.I generally downloads three or four files. It has been observed to download variants of Win32/Srizbi and Win32/Rustock, but currently it usually downloads variants of Win32/Cutwail (a spam bot), Win32/Festeal (an e-mail address harvester) and Win32/Prefsap (an FTP account password stealer).
 
It also often downloads malware that installs rogue security products and has been known to install Win32/Antivirusxp and Win32/FakeRean in this way. Recently it has downloaded a trojan called Win32/Relbma.A, which may redirect the user's browser to web sites hosting variants of the Win32/Winfixer family of rogues.
 
Analysis by Hamish O'Dea

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The presence of the following service:
    Service name: CbEvtSvc
    Display name: CbEvtSvc
    Path: <system folder>\CbEvtSvc.exe -k netsvcs
    Startup type: Automatic

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.45.287.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Oct 14, 2008
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win-Trojan/Exchanger.87040.K (AhnLab)
  • Trojan.Downloader.Exchanger.AY (BitDefender)
  • Win32/Collet.GA (CA)
  • Trojan.Downloader-56523 (Clam AV)
  • Trojan.Packed.661 (Dr.Web)
  • Win32/Agent.ETH (ESET)
  • Trojan-Downloader.Win32.Exchanger.agc (Kaspersky)
  • BackDoor-DNM (McAfee)
  • Downloader-BKH (McAfee)
  • Mal/EncPk-DA (Sophos)
  • Trojan.Erotpics (Symantec)
  • Trojan.DL.Exchanger.FA (VirusBuster)