| Malware name | Trojan.Dldr.Exchanger.DW | | Type | Trojan | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | 06BD0701D470475D32C6D98A0C685E4B | | Static file | yes | | Filesize | 74,752 Bytes | Alias names
(also known as) | | Sophos | Mal/EncPk-DA | | McAfee | BackDoor-DNM | | CA ETrust | Win32/Collet.DS |
| | Side effects | - Downloads malicious files
- Registry modification
| | Propagation | No own spreading routine |
|
Description:
Files
It copies itself to the following location:
• %SYSDIR%\CbEvtSvc.exe
It tries to download some files:
– The location is the following:
• http://78.109.19.50/12**********.exe
It is saved on the local hard drive under: C:\Documents and Settings\LocalService\Application Data\633968421.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: Trojan.Dldr.Small.aafu
– The location is the following:
• http://78.109.19.50/**********.exe
It is saved on the local hard drive under: C:\Documents and Settings\LocalService\Application Data\728739263.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as:
4021 Registry
The following registry keys are added in order to run the processes after reboot:
– [HKLM\SYSTEM\CurrentControlSet\Services\CbEvtSvc]
• "Type"=dword:00000010
• "Start"=dword:00000002
• "ErrorControl"=dword:00000001
• "ImagePath"=
%paths to malware copies% • "DisplayName"="CbEvtSvc"
• "ObjectName"="LocalSystem"
– [HKLM\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Enum]
• "0"="Root\\LEGACY_CBEVTSVC\\0000"
• "Count"=dword:00000001
• "NextInstance"=dword:00000001
File details
Programming language:
The malware program was written in MS Visual C++.
Runtime packer: In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
