Trojan.Downloader.Exchanger.A

( TR/Crypt.FKM.Gen, Trojan Dialer.gen14 )

SYMPTOMS:

The existence of the file CbEvtSvc.exe in the system directory (usually C:\Windows\System32).
The existence of the file symavc32.sys in the drivers directory (usually C:\Windows\System32\Drivers).

TECHNICAL DESCRIPTION:

This malware spreads by tricking users into clicking on links and executing the applications downloaded from those links. The link arrives in unsolicited bulk e-mails (SPAM) which promise explicit videos of celebrities. Currently two such e-mails have been observed:

• New naked Britney video

• Paris Hilton New Video Auditioning Topless

The links included in these e-mails use an open redirect from Google to mask the true destination. This means that when the users inspects the link, she will see a link to Google (which she will probably trust), however Google in turn redirects to the site specified as parameter in the URL (it seems that Google uses these types of URL's to redirect users who click on advertisement served up by Google's AdSense program, however insufficient parameter validation means that malware authors can modify the URL and use it to redirect users to arbitrary sites).

Once installed the malware will copy itself in the system directory (C:\Windows\System32 on the default Windows XP installation) with the name CbEvtSvc.exe and register itself as a system service. After installation it contacts the original server and requests a lists of files to be downloaded through an encrypted SSL connection. Currently it downloads two additional files:

• A version of the Srizbi trojan (detected as Trojan.Srizbi.AS) which contains a kernel mode driver with rootkit and spamming functionality
• A trojan (detected as Generic.Mydoom.7C3714C0) which scans the infected machine's hard-drive for e-mail addresses and sends them back to a central server
  

Removal instructions:

Please let BitDefender delete the infected files.

ANALYZED BY:

Attila-Mihaly Balazs, virus researcher