Skip to main content

Trojan-Downloader:W32/Exchanger

Classification

Category:Malware
Type:Trojan-Downloader
Platform:W32
Aliases:

Trojan-Downloader:W32/Exchanger, Trojan-Downloader.Win32.Exchanger

Summary

Trojan-Downloader:W32/Exchanger variants download additional malicious software onto the infected system.

Removal

Manual action

To manually remove a Trojan-Downloader:W32/Exchanger infection, perform the following steps:

  • Open the Windows Task Manager by pressing the Ctrl + Alt + Delete keys and click the Task Manager button.
  • From the list of running processes, find CbEvtSvc.exe and then click the End Process button.
  • You may close the Task Manager once the malicious process is terminated.
  • From the Windows Start Menu, select Run, type regedit into the "Open:" field and then click OK.
  • From the Registry Editor, locate and delete the following keys if present:
    • HKLM\SYSTEM\CurrentControlSet\Services\CbEvtSvc
    • HKLM\SYSTEM\ControlSet001\Services\CbEvtSvc
    • HKLM\SYSTEM\ControlSet002\Services\CbEvtSvc
    Note: HKLM equals HKEY_LOCAL_MACHINE
  • Delete the file called CbEvtSvc.exe located in the C:\WINDOWS\system32\ folder.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Once the trojan is executed it copies itself into the "system32" folder and starts itself from there as a service.The trojan also creates Windows registry entries to ensure that it is started every time the computer is started.Once running, Exchanger variants will attempt to contact a remote server in order to relay information about the infected machine. The server will reply with a list of URLs that point to malicious files to be downloaded.

File System Changes

Creates these files:

  • %windir%\system32\CbEvtSvc.exe

Process Changes

Creates these processes:

  • %windir%\system32\CbEvtSvc.exe

Registry Modifications

Sets these values:

  • HKLM\System\CurrentControlSet\Services\CbEvtSvc Type = 00000010 Start = 00000002 ErrorControl = 00000001 ImagePath = %SystemRoot%\System32\CbEvtSvc.exe -k netsvcs DisplayName = CbEvtSvc ObjectName = LocalSystem Opt =
  • HKLM\System\CurrentControlSet\Services\CbEvtSvc\Security Security = \x01\x00\x14\x80\x90\[...]

Creates these keys:

  • HKLM\System\CurrentControlSet\Services\CbEvtSvc
  • HKLM\System\CurrentControlSet\Services\CbEvtSvc\Security

More Support

Community

Ask questions in our Community.

User guides

Check the user guide for instructions.

Contact Support

Chat with with or call an agent.

Submit a Sample

Submit a file or URL for analysis.