TrojanDownloader:Win32/Cekar.gen!A is a file that may be dropped by Virus:Win32/Cekar variants. Malware detected with this name may vary in functionality, but this can include spreading via logical and removable drives, and/or downloading and executing arbitrary files.
An example of the behavior of one such file, dropped by
Virus:Win32/Cekar.B and detected as TrojanDownloader:Win32/Cekar.gen!A can be seen below.
Installation
In this example, TrojanDownloader:Win32/Cekar.gen!A is dropped by Virus:Win32/Cekar.B to %windir%\system\logogogo.exe. The registry is then modified to run this file at each Windows start:
Adds value: logogo
With data: "%windir%\system\logogogo.exe"
To subkey: HKEY_LOCAL_MACHINE\SoftWare\Microsoft\Windows\CurrentVersion\Run
Win32/Cekar.A!gen may also modify numerous registry values associated with the Windows debugger in order to run its executable when particular files are executed. For example:
Modifies value: Debugger
With value: "%windir%\system\logogogo.exe"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\F-PROT95.EXE
Modifies value: Debugger
With value: %windir%\system\logogogo.exe"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\F-PROT.EXE
Modifies value: Debugger
With value: %windir%\system\logogogo.exe"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\F-AGNT95.EXE
Spreads Via…
Logical and Removable Drives
In this instance, Win32/Cekar.A!gen spreads to logical and removable drives. The worm copies itself to available drives as 'xp.exe'. Upon copying itself to a drive, the worm creates a file named 'autorun.inf' also in the root of the drive. The autorun.inf file contains execution instructions for the operating system, which are invoked when the drive is viewed using Windows Explorer.
It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.
Payload
Downloads Files
Win32/Cekar.A!gen may attempt to download files from remote Web sites.
Analysis by Patrick Nolan
