Win32/Chepdu [Threat Name] go to Threat

Win32/Chepdu.AC [Threat Variant Name]

Category trojan
Size 241664 B
Aliases Trojan-Downloader.Win32.Banload.atdp (Kaspersky)
  Trojan:Win32/Chepdu.P (Microsoft)
  PWS-Banker!fss.trojan (McAfee)
Short description

Win32/Chepdu.AC is a trojan which tries to promote certain web sites. The trojan is probably a part of other malware.

Installation

When executed, the trojan creates the following files:

  • %system%\­ctfmon_wc.exe (11264 B, Win32/BHO.NOU)

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ctfmon.exe]
    • "Debugger" = "%system%\­ctfmon_wc.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Browser Helper Objects\­{B7C72896-62EA-3CA3-826A-3BB47D98CC8F}]
    • "IExplore" = 1
  • [HKEY_CLASSES_ROOT\­D.1]
    • "(Default)" = "D"
  • [HKEY_CLASSES_ROOT\­D.1\­CLSID]
    • "(Default)" = "{B7C72896-62EA-3CA3-826A-3BB47D98CC8F}"
  • [HKEY_CLASSES_ROOT\­D\­CLSID]
    • "(Default)" = "{B7C72896-62EA-3CA3-826A-3BB47D98CC8F}"
  • [HKEY_CLASSES_ROOT\­D]
    • "(Default)" = "D"
  • [HKEY_CLASSES_ROOT\­CLSID\­{B7C72896-62EA-3CA3-826A-3BB47D98CC8F}]
    • "(Default)" = "D"
  • [HKEY_CLASSES_ROOT\­CLSID\­{B7C72896-62EA-3CA3-826A-3BB47D98CC8F}\­VersionIndependentProgID]
    • "(Default)" = "D"
  • [HKEY_CLASSES_ROOT\­CLSID\­{B7C72896-62EA-3CA3-826A-3BB47D98CC8F}\­InprocServer32]
    • "(Default)" = %malwarepath(*.dll)%
    • "ThreadingModel" = "Apartment"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{D1F3663F-D08B-3A8A-AEAB-B2D18027993C}\­1.0]
    • "(Default)" = "LIB"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{D1F3663F-D08B-3A8A-AEAB-B2D18027993C}\­1.0\­FLAGS]
    • "(Default)" = "0"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{D1F3663F-D08B-3A8A-AEAB-B2D18027993C}\­1.0\­0\­win32]
    • "(Default)" = %malwarepath(*.dll)%
  • [HKEY_CLASSES_ROOT\­TypeLib\­{D1F3663F-D08B-3A8A-AEAB-B2D18027993C}\­1.0\­HELPDIR]
    • "(Default)" = %malwarefolder(*.dll)%
  • [HKEY_CLASSES_ROOT\­Interface\­{8A93E9A0-7BBE-3C92-BCE5-7552EB30168C}]
    • "(Default)" = "IDOMPeek"
  • [HKEY_CLASSES_ROOT\­Interface\­{8A93E9A0-7BBE-3C92-BCE5-7552EB30168C}\­ProxyStubClsid]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{8A93E9A0-7BBE-3C92-BCE5-7552EB30168C}\­ProxyStubClsid32]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{8A93E9A0-7BBE-3C92-BCE5-7552EB30168C}\­TypeLib]
    • "(Default)" = "{D1F3663F-D08B-3A8A-AEAB-B2D18027993C}"
    • "Version" = "1.0"
  • [HKEY_CURRENT_USER\­SOFTWARE\­{B7C72896-62EA-3CA3-826A-3BB47D98CC8F}]
    • "XML2t" = %random%

The %random% represents a random number.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • open a specific URL address

The trojan collects the following information:

  • a list of recently visited URLs

The trojan can send the information to a remote machine.


The trojan can redirect results of online search engines to web sites that contain adware.


The trojan opens the following URLs in Internet Explorer :

  • http://xmlwindataweb.net/

The trojan may create the following files:

  • %programfiles%\­KB%random%.exe

A string with variable content is used instead of %random% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.