Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Chepdu.AC

Aliases:Trojan-Downloader.Win32.Banload.atdp (Kaspersky), Trojan:Win32/Chepdu.P (Microsoft), PWS-Banker!fss trojan (McAfee) 
Type of infiltration:Trojan  
Size:241664 B 
Affected platforms:Microsoft Windows 
Signature database version:4988 (20100331) 

Short description

Win32/Chepdu.AC is a trojan which tries to promote certain web sites. Trojan is probably a part of other malware.

Installation

When executed, the trojan creates the following files:
  • %system%ctfmon_wc.exe (11264 B, Win32/BHO.NOU)
The following Registry entries are set:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsctfmon.exe]
    "Debugger" = "%system%ctfmon_wc.exe"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    ExplorerBrowser Helper Objects{B7C72896-62EA-3CA3-826A-3BB47D98CC8F}]
    "IExplore" = 1
  • [HKEY_CLASSES_ROOTD.1]
    "(Default)" = "D"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsctfmon.exe]
    "Debugger" = "%system%ctfmon_wc.exe"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    ExplorerBrowser Helper Objects{B7C72896-62EA-3CA3-826A-3BB47D98CC8F}]
    "IExplore" = 1
  • [HKEY_CLASSES_ROOTD.1]
    "(Default)" = "D"
  • [HKEY_CLASSES_ROOTD.1CLSID]
    "(Default)" = "{B7C72896-62EA-3CA3-826A-3BB47D98CC8F}"
  • [HKEY_CLASSES_ROOTDCLSID]
    "(Default)" = "{B7C72896-62EA-3CA3-826A-3BB47D98CC8F}"
  • [HKEY_CLASSES_ROOTD]
    "(Default)" = "D"
  • [HKEY_CLASSES_ROOTCLSID{B7C72896-62EA-3CA3-826A-3BB47D98CC8F}]
    "(Default)" = "D"
  • [HKEY_CLASSES_ROOTCLSID{B7C72896-62EA-3CA3-826A-3BB47D98CC8F}
    VersionIndependentProgID]
    "(Default)" = "D"
  • [HKEY_CLASSES_ROOTCLSID{B7C72896-62EA-3CA3-826A-3BB47D98CC8F}
    InprocServer32]
    "(Default)" = %malwarepath(*.dll)%
    "ThreadingModel" = "Apartment"
  • [HKEY_CLASSES_ROOTTypeLib{D1F3663F-D08B-3A8A-AEAB-B2D18027993C}
    1.0]
    "(Default)" = "LIB"
  • [HKEY_CLASSES_ROOTTypeLib{D1F3663F-D08B-3A8A-AEAB-B2D18027993C}
    1.0FLAGS]
    "(Default)" = "0"
  • [HKEY_CLASSES_ROOTTypeLib{D1F3663F-D08B-3A8A-AEAB-B2D18027993C}
    1.0win32]
    "(Default)" = %malwarepath(*.dll)%
  • [HKEY_CLASSES_ROOTTypeLib{D1F3663F-D08B-3A8A-AEAB-B2D18027993C}
    1.0HELPDIR]
    "(Default)" = %malwarefolder(*.dll)%
  • [HKEY_CLASSES_ROOTInterface{8A93E9A0-7BBE-3C92-BCE5-7552EB30168C}]
    "(Default)" = "IDOMPeek"
  • [HKEY_CLASSES_ROOTInterface{8A93E9A0-7BBE-3C92-BCE5-7552EB30168C}
    ProxyStubClsid]
    "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOTInterface{8A93E9A0-7BBE-3C92-BCE5-7552EB30168C}
    ProxyStubClsid32]
    "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOTInterface{8A93E9A0-7BBE-3C92-BCE5-7552EB30168C}
    TypeLib]
    "(Default)" = "{D1F3663F-D08B-3A8A-AEAB-B2D18027993C}"
    "Version" = "1.0"
  • [HKEY_CURRENT_USERSOFTWARE{B7C72896-62EA-3CA3-826A-3BB47D98CC8F}]
    "XML2t" = %random%
The %random% represents a random number.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (2) URLs. The HTTP protocol is used.

It can execute the following operations:
  • download files from a remote computer and/or the Internet
  • run executable files
  • open a specific URL address
The trojan collects the following information:
  • a list of recently visited URLs
The trojan can send the information to a remote machine.

The trojan can redirect results of online search engines to web sites that contain adware.

The trojan opens the following URLs in Internet Explorer:
  • http://xmlwindataweb.net/
The trojan may create the following files:
  • %programfiles%KB%random%.exe
A string with variable content is used instead of %random%.