TrojanDownloader:Win32/Cbeplay.B is a trojan that may upload computer operating system details to a remote web site, download additional malware, and terminate debugging utilities. This trojan may be distributed via spam e-mail, either directly as a password-protected zip attachment, or indirectly via a link to a remote copy of the trojan.
Installation
When run, this trojan drops a copy of itself into the Windows system folder as 'CbEvtSvc.exe', and registers itself to run as a service at each Windows start. The trojan makes the following registry modifications when creating its service:
Adds value: NextInstance
With data: dword:00000001
To subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC
Adds value:Service
With data: "CbEvtSvc"
To subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000
Adds value: Legacy
With data: dword:00000001
To subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000
Adds value: ConfigFlags
With data:dword:00000000
To subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000
Adds value: Class
With data:"LegacyDriver"
To subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000
Adds value: ClassGUID
With data: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
To subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000
Adds value: DeviceDesc
With data: "CbEvtSvc"
To subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000
Adds value: *NewlyCreated*
With data: dword:00000000
To subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000\Control
Adds value: ActiveService
With data: "CbEvtSvc"
To subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000\Control
Adds value:Type
With data: dword:00000010
To subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc
Adds value: Start
With data: dword:00000002
To subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc
Adds value:ErrorControl
With data: dword:00000001
To subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc
Adds value:ImagePath
With data: hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,43,62,45,76,74,53,76,63,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00,
To subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc
Adds value: DisplayName
With data: "CbEvtSvc"
To subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc
Adds value: ObjectName
With data: "LocalSystem"
To subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc
Adds value: Security
With data: hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00,
To subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Security
Adds value: 0
With data:"Root\LEGACY_CBEVTSVC\0000"
To subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Enum
Adds value: Count
With data: dword:00000001
To subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Enum
Adds value:NextInstance
With data: dword:00000001
To subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Enum
The service runs at Windows start with a Display Name of 'CbEvtSvc', with the following parameters:
'%SystemRoot%\System32\CbEvtSvc.exe -k netsvcs'
Payload
Sends Computer Information
Running as a service, this trojan may periodically generate a system information report and then upload the gathered information to a remote server with an IP address 58.65.239.98, presumably for an attacker's benefit. Details gathered can include for example, operating system version information, user name, etc. This is done via an HTTP POST command using a script found on the remote server.
Downloads and Executes Arbitrary Files
This trojan may download additional files, from other malicious sites.
Additional Information
In the wild, this trojan has been observed being sent as an attachment to spam e-mail from an unknown and spoofed From address. The format of the e-mail may be similar to one of the following two examples:
Subject: Naked Britney
Body: See new naked Britney video in attachment!
unzip it first!
The video is crazy!
Only 1 day trial - get this video now!
use password 123
Attachment: video.zip
Subject: New naked Britney video
Body: See new naked Britney video in attachment!
The video is crazy!
Only 1 day trial - get this video now!
Get it now! <h--p://58.65.239.98/*****/player.exe>
Attachment: <none>
Analysis by Jireh Sanico
