TrojanDownloader:Win32/Cbeplay.A is a trojan that may upload computer operating system details to a remote Web site, download additional malware, and terminate debugging utilities. This trojan may have been distributed through spam e-mails, either in a form of a password-protected zip attachment or a link to a malicious site where the trojan may be hosted.
Installation
When run, this trojan drops a copy of itself into the Windows system folder as 'CbEvtSvc.exe', and registers itself to run as a service at each Windows start. The trojan adds the following registry keys when creating its service:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CBEVTSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CBEVTSVC\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CBEVTSVC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Security
The service runs at Windows start with a Display Name of 'CbEvtSvc', with the following parameters:
%SystemRoot%\System32\CbEvtSvc.exe -k netsvcs
Payload
Sends Computer Information
This trojan may generate a system information report, and then upload the gathered information to a remote server with an IP address 58.65.239.98, presumably for an attacker's benefit. Gathered details can include for example, operating system version information, user name and etcetera.
Remote Access Control
Win32/Cbeplay.A may send an HTTP Post request to a remote server and execute a server-side PHP script (named 'ldrctl.php'), which allow the remote attacker full control over the infected computer.
Downloads and Executes Arbitrary Files
This trojan may download additional files, from other malicious sites.
Additional Information
This trojan may have been sent as an attachment to spam e-mail from an unknown and spoofed sender. The format of the e-mail may have been similar to one of the two examples shown below:
Subject: Naked Britney
Body: See new naked Britney video in attachment!
unzip it first!
The video is crazy!
Only 1 day trial - get this video now!
use password 123
Attachment: video.zip
Subject: New naked Britney video
Body: See new naked Britney video in attachment!
The video is crazy!
Only 1 day trial - get this video now!
Get it now! <h--p://58.65.239.98/*****/player.exe>
Attachment: <none>
Once extracted from the ZIP archive, or downloaded from a malicious URL, the trojan has a file icon resembling a self-extracting RAR archive executable, such as the following
The trojan has anti-debug functionality; it terminates debugger processes.
