Short description
Win32/Chepdu.AC is a trojan which tries to promote certain web sites. Trojan is probably a part of other malware.
Installation
When executed, the trojan creates the following files:
- %system%\ctfmon_wc.exe (11264 B, Win32/BHO.NOU)
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\ctfmon.exe]
"Debugger" = "%system%\ctfmon_wc.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Browser Helper Objects\{B7C72896-62EA-3CA3-826A-3BB47D98CC8F}]
"IExplore" = 1
- [HKEY_CLASSES_ROOT\D.1]
"(Default)" = "D"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\ctfmon.exe]
"Debugger" = "%system%\ctfmon_wc.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Browser Helper Objects\{B7C72896-62EA-3CA3-826A-3BB47D98CC8F}]
"IExplore" = 1
- [HKEY_CLASSES_ROOT\D.1]
"(Default)" = "D"
- [HKEY_CLASSES_ROOT\D.1\CLSID]
"(Default)" = "{B7C72896-62EA-3CA3-826A-3BB47D98CC8F}"
- [HKEY_CLASSES_ROOT\D\CLSID]
"(Default)" = "{B7C72896-62EA-3CA3-826A-3BB47D98CC8F}"
- [HKEY_CLASSES_ROOT\D]
"(Default)" = "D"
- [HKEY_CLASSES_ROOT\CLSID\{B7C72896-62EA-3CA3-826A-3BB47D98CC8F}]
"(Default)" = "D"
- [HKEY_CLASSES_ROOT\CLSID\{B7C72896-62EA-3CA3-826A-3BB47D98CC8F}\
VersionIndependentProgID]
"(Default)" = "D"
- [HKEY_CLASSES_ROOT\CLSID\{B7C72896-62EA-3CA3-826A-3BB47D98CC8F}\
InprocServer32]
"(Default)" = %malwarepath(*.dll)%
"ThreadingModel" = "Apartment"
- [HKEY_CLASSES_ROOT\TypeLib\{D1F3663F-D08B-3A8A-AEAB-B2D18027993C}\
1.0]
"(Default)" = "LIB"
- [HKEY_CLASSES_ROOT\TypeLib\{D1F3663F-D08B-3A8A-AEAB-B2D18027993C}\
1.0\FLAGS]
"(Default)" = "0"
- [HKEY_CLASSES_ROOT\TypeLib\{D1F3663F-D08B-3A8A-AEAB-B2D18027993C}\
1.0\0\win32]
"(Default)" = %malwarepath(*.dll)%
- [HKEY_CLASSES_ROOT\TypeLib\{D1F3663F-D08B-3A8A-AEAB-B2D18027993C}\
1.0\HELPDIR]
"(Default)" = %malwarefolder(*.dll)%
- [HKEY_CLASSES_ROOT\Interface\{8A93E9A0-7BBE-3C92-BCE5-7552EB30168C}]
"(Default)" = "IDOMPeek"
- [HKEY_CLASSES_ROOT\Interface\{8A93E9A0-7BBE-3C92-BCE5-7552EB30168C}\
ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
- [HKEY_CLASSES_ROOT\Interface\{8A93E9A0-7BBE-3C92-BCE5-7552EB30168C}\
ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
- [HKEY_CLASSES_ROOT\Interface\{8A93E9A0-7BBE-3C92-BCE5-7552EB30168C}\
TypeLib]
"(Default)" = "{D1F3663F-D08B-3A8A-AEAB-B2D18027993C}"
"Version" = "1.0"
- [HKEY_CURRENT_USER\SOFTWARE\{B7C72896-62EA-3CA3-826A-3BB47D98CC8F}]
"XML2t" = %random%
The %random% represents a random number.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (2) URLs. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- open a specific URL address
The trojan collects the following information:
- a list of recently visited URLs
The trojan can send the information to a remote machine.
The trojan can redirect results of online search engines to web sites that contain adware.
The trojan opens the following URLs in Internet Explorer:
- http://xmlwindataweb.net/
The trojan may create the following files:
- %programfiles%\KB%random%.exe
A string with variable content is used instead of %random%.
