TR/Dldr.Exchanger.OQ - Trojan

See also

Summary

Full description

Statistics

Virus:	TR/Dldr.Exchanger.OQ
Date discovered:	18/08/2008
Type:	Trojan
Subtype:	Downloader
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	72.704 Bytes
MD5 checksum:	598e57c048f4ee0e550aa66324a410c4
IVDF version:	7.00.06.28 - Mon, 18 Aug 2008 12:45 (GMT+1)

General Method of propagation:
   • No own spreading routine

Aliases:
   • Mcafee: BackDoor-DNM trojan
   • Kaspersky: Trojan-Downloader.Win32.Exchanger.oq
   • F-Secure: Backdoor:W32/Hupigon.OEA
   • Panda: Trj/Dropper.WW
   • Grisoft: I-Worm/Nuwar.W
   • VirusBuster: Trojan.Agent.DVUQ
   • Eset: a variant of Win32/Agent.ETH trojan

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads malicious files
   • Registry modification

Files It copies itself to the following location:
   • %SYSDIR%\CdbgEvtSvc.exe

It tries to download some files:

– The location is the following:
   • http://vca.cl/scan**********.exe
It is saved on the local hard drive under: C:\Documents and Settings\LocalService\Application Data\641767680.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Fakealert.aah.3

– The location is the following:
   • http://vca.cl/in_**********.exe
It is saved on the local hard drive under: C:\Documents and Settings\LocalService\Application Data\664313440.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.XPACK.Gen

– The location is the following:
   • http://vca.cl/pre**********.exe
It is saved on the local hard drive under: C:\Documents and Settings\LocalService\Application Data\607883503.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Dropper.Gen

Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\CdbgEvtSvc]
   • "Type"=dword:00000010
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000001
   • "ImagePath"=
   • "DisplayName"="CdbgEvtSvc"
   • "ObjectName"="LocalSystem"

– [HKLM\SYSTEM\CurrentControlSet\Services\CdbgEvtSvc\Security]
   • "Security"=%hex number%

– [HKLM\SYSTEM\CurrentControlSet\Services\CdbgEvtSvc\Enum]
   • "0"="Root\\LEGACY_CDBGEVTSVC\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

See a brief description here.

Description inserted by Andreas Feuerstein on Tue, 19 Aug 2008 14:04 (GMT+1)
Description updated by Andreas Feuerstein on Tue, 19 Aug 2008 15:09 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back