1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content




Trojan-Downloader:W32/Exchanger

Name : Trojan-Downloader:W32/Exchanger
Detection Names : Trojan-Downloader:W32/Exchanger
Trojan-Downloader.Win32.Exchanger
Category:Malware
Type:Trojan-Downloader
Platform:W32

Summary

Trojan-Downloader:W32/Exchanger variants download additional malicious software onto the infected system.

Disinfection

To manually remove a Trojan-Downloader:W32/Exchanger infection, perform the following steps:

  •  Open the Windows Task Manager by pressing the Ctrl + Alt + Delete keys and click the Task Manager button.
  •  From the list of running processes, find CbEvtSvc.exe and then click the End Process button.
  •  You may close the Task Manager once the malicious process is terminated.
  •  From the Windows Start Menu, select Run, type regedit into the "Open:" field and then click OK.



  •  From the Registry Editor, locate and delete the following keys if present:
    •  HKLM\SYSTEM\CurrentControlSet\Services\CbEvtSvc
    •  HKLM\SYSTEM\ControlSet001\Services\CbEvtSvc
    •  HKLM\SYSTEM\ControlSet002\Services\CbEvtSvc
    Note: HKLM equals HKEY_LOCAL_MACHINE
  •  Delete the file called CbEvtSvc.exe located in the C:\WINDOWS\system32\ folder.

Details


File System Changes
Creates these files:

  •  %windir%\system32\CbEvtSvc.exe



Process Changes
Creates these processes:

  •  %windir%\system32\CbEvtSvc.exe



Registry Modifications
Sets these values:

  •  HKLM\System\CurrentControlSet\Services\CbEvtSvc
    Type = 00000010
    Start = 00000002
    ErrorControl = 00000001
    ImagePath = %SystemRoot%\System32\CbEvtSvc.exe -k netsvcs
    DisplayName = CbEvtSvc
    ObjectName = LocalSystem
    Opt =
  •  HKLM\System\CurrentControlSet\Services\CbEvtSvc\Security
    Security = \x01\x00\x14\x80\x90\[...]


Creates these keys:

  •  HKLM\System\CurrentControlSet\Services\CbEvtSvc
  •  HKLM\System\CurrentControlSet\Services\CbEvtSvc\Security


Additional Details

Once the trojan is executed it copies itself into the "system32" folder and starts itself from there as a service.

The trojan also creates Windows registry entries to ensure that it is started every time the computer is started.

Once running, Exchanger variants will attempt to contact a remote server in order to relay information about the infected machine. The server will reply with a list of URLs that point to malicious files to be downloaded.