pátek 24. února 2012

TrojanDownloader:Win32/Banload.KE


Encyclopedia entry
Updated: Apr 17, 2011  |  Published: Nov 20, 2009

Aliases
  • Trojan-Downloader.Win32.Voila.i (Kaspersky)
  • Generic Downloader.x!biq (McAfee)
  • W32/DLoader.YDZS (Norman)
  • Trojan.DL.Banload.AZJE (VirusBuster)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.121.332.0
Released: Feb 24, 2012
Detection initially created:
Definition: 1.67.178.0
Released: Sep 29, 2009


 

Summary

TrojanDownloader:Win32/Banload.KE is detection for malware that downloads and executes other malware from a remote server.


 

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).


 

Technical Information (Analysis)

TrojanDownloader:Win32/Banload.KE is detection for malware that downloads and executes other malware from a remote server.
Installation
When run, the trojan drops a copy of itself into the Windows system directory. The trojan drops a registry import script as "%windir%\system\sharedapp.reg" and launches the registry utility "regedit.exe" to import the dropped registry script data resulting in the following modification:
 
Adds value: "SharedAPPs"
With data: "%windir%\system\<trojan file name>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
The registry modification runs the trojan copy at each Windows start.
Payload
Downloads other malware
TrojanDownloader:Win32/Banload.KE attempts to download other malware from the following remote domains:
 
  • skylinedom12.net
  • priver10mab.biz
  • camisetasfran.com
 
If the download attempts are successful, the downloaded files are saved and executed as the following:
 
%windir%\AppPatch\Acytrnal.dll
%windir%\Media\smss.exe
%windir%\System32\java.dll
 
Note: These files were no longer available at the time of analysis, however, Win32/Banload variants are often observed in the wild downloading variants of Win32/Bancos and Win32/Banker - trojans that attempt to steal sensitive information such as usernames and passwords for banks and other financial institutions.
 
Analysis by Shali Hsieh

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.