Home / malware
First posted on 04 April 2020.
TrojanDownloader:Win32/Chepvil.J is also known as W32/Oficla.DE, TR/Dldr.Chepvil.J, Trojan-Downloader.Win32.Small.btcy, Backdoor:Win32/Hostil.gen!A, Mal/Bredo-K.
TrojanDownloader:Win32/Chepvil.J is a trojan that attempts to download other malware from a remote server. In the wild, we observed this trojan downloading files detected as Rogue:Win32/Winwebsec, Backdoor:Win32/Cycbot.B and VirTool:Win32/Injector.gen!BG. InstallationThis trojan may be received as an attachment to a spammed email message. In the wild, this trojan was observed being distributed as an attachment to an email similar to the following example:
Subject: United Parcel Service notification Attachment: "United Parcel Service document.zip" (contains "United Parcel Service document.exe") Dear customer. The parcel was sent your home address. And it will arrive within 7 business day. More information and the tracking number are attached in document below. Thank you. © 1994-2011 United Parcel Service of America, Inc. If the attached file is extracted and the embedded executable trojan is run, it injects its code into the running process "svchost.exe" in order to hide its presence. Payload Downloads arbitrary filesTrojanDownloader:Win32/Chepvil.J attempts to download the following files from a remote server. In the wild, this trojan was observed to contact a server with an IP address 18.104.22.168 and request the following files: lol2.exe - detected as Rogue:Win32/Winwebsec pod.exe - detected as Backdoor:Win32/Cycbot.B spm.exe - detected as VirTool:Win32/Injector.gen!BG The files are saved to the %TEMP% folder and then executed. The file names requested are usually the same however the remote server IP address varies. Analysis by Jaime Wong
Last update 04 April 2020