Trojan:Win32/Chepdu.P is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected machine.
Installation
Trojan:Win32/Chepdu.P creates the following file(s) on an affected machine:
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
The malware registers the file <system folder>\dq20279.dll, using the Windows utility regsvr32.exe with the /s parameter. Regsvr32.exe is a program that is used to register or unregister a COM (Component Object Model) DLL (dynamic link library). The /s parameter allows regsvr32 to run silently without displaying any messages. This action may result in the following registry modifications:
Adds value:"(default)"
With data: "d"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{888520A0-2A83-319B-920D-2512699858ED}
Adds value:"(default)"
With data: "c:\windows\system32\dq20279.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{888520A0-2A83-319B-920D-2512699858ED}\InprocServer32
Adds value:"(default)"
With data: "d.1"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{888520A0-2A83-319B-920D-2512699858ED}\ProgID
Adds value:"(default)"
With data: "d"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{888520A0-2A83-319B-920D-2512699858ED}\VersionIndependentProgID
Adds value:"(default)"
With data: "{888520a0-2a83-319b-920d-2512699858ed}"
To subkey: HKLM\SOFTWARE\Classes\D.1\CLSID
Adds value:"(default)"
With data: "{888520a0-2a83-319b-920d-2512699858ed}"
To subkey: HKLM\SOFTWARE\Classes\D\CLSID
Adds value:"IExplore"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{888520A0-2A83-319B-920D-2512699858ED}
Payload
Contacts remote host
Trojan:Win32/Chepdu.P may contact a remote host at luckby.cc using port 80. Commonly, malware may contact a remote host for the following purposes:
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
This malware description was produced and published using our automated analysis system's examination of file SHA1 0d988a4099eda460a5b747b7b805f9718fc1a1fd. If you would like to comment on this analysis, please send your feedback to mmpc-amd@microsoft.com.
