Threat Description

Trojan-Downloader:​W32/Exchanger

Details

Aliases: Trojan-Downloader:​W32/Exchanger, Trojan-Downloader.Win32.Exchanger
Category: Malware
Type: Trojan-Downloader
Platform: W32

Summary



Trojan-Downloader:W32/Exchanger variants download additional malicious software onto the infected system.



Removal



To manually remove a Trojan-Downloader:W32/Exchanger infection, perform the following steps:

  • Open the Windows Task Manager by pressing the Ctrl + Alt + Delete keys and click the Task Manager button.
  • From the list of running processes, find CbEvtSvc.exe and then click the End Process button.
  • You may close the Task Manager once the malicious process is terminated.
  • From the Windows Start Menu, select Run, type regedit into the "Open:" field and then click OK.
  • From the Registry Editor, locate and delete the following keys if present:
    • HKLM\SYSTEM\CurrentControlSet\Services\CbEvtSvc
    • HKLM\SYSTEM\ControlSet001\Services\CbEvtSvc
    • HKLM\SYSTEM\ControlSet002\Services\CbEvtSvc
    Note: HKLM equals HKEY_LOCAL_MACHINE
  • Delete the file called CbEvtSvc.exe located in the C:\WINDOWS\system32\ folder.


Technical Details



Once the trojan is executed it copies itself into the "system32" folder and starts itself from there as a service.The trojan also creates Windows registry entries to ensure that it is started every time the computer is started.Once running, Exchanger variants will attempt to contact a remote server in order to relay information about the infected machine. The server will reply with a list of URLs that point to malicious files to be downloaded.

File System Changes

Creates these files:

  • %windir%\system32\CbEvtSvc.exe

Process Changes

Creates these processes:

  • %windir%\system32\CbEvtSvc.exe

Registry Modifications

Sets these values:

  • HKLM\System\CurrentControlSet\Services\CbEvtSvc Type = 00000010 Start = 00000002 ErrorControl = 00000001 ImagePath = %SystemRoot%\System32\CbEvtSvc.exe -k netsvcs DisplayName = CbEvtSvc ObjectName = LocalSystem Opt =
  • HKLM\System\CurrentControlSet\Services\CbEvtSvc\Security Security = \x01\x00\x14\x80\x90\[...]

Creates these keys:

  • HKLM\System\CurrentControlSet\Services\CbEvtSvc
  • HKLM\System\CurrentControlSet\Services\CbEvtSvc\Security





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More