TrojanDownloader:Win32/Banload.AQV

To lure you into running it, TrojanDownloader:Win32/Banload.AQV uses icons that are used by Microsoft Office programs, such as the following:

When run, TrojanDownloader:Win32/Banload.AQV drops and deletes a file with a random filename to the %TEMP% folder. It uses this file to store some data (at the time of analysis we were unable to determine the exact nature of the data).

Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista, 7 and 8, the default location is "C:\Users\<user name>\AppData\Local\Temp".

Payload

Contacts remote hosts

TrojanDownloader:Win32/Banload.AQV attempts to connect to a remote server to download or send information, such as passwords and other sensitive personal information.

We have observed TrojanDownloader:Win32/Banload.AQV attempting to connect to the following servers:

• mintestc.<removed>.sa-east-1.rds.amazonaws.com, via TCP port 35350
• tmpmicroa.<removed>.eu-west-1.rds.amazonaws.com, via TCP port 27402
• tmpmicrod.<removed>.eu-west-1.rds.amazonaws.com, via TCP port 27402

Monitors network and browser data

TrojanDownloader:Win32/Banload.AQV attempts to drop and register itself as a browser helper object (BHO) in the <system folder> (for example, "<system folder>\HbIEMan.dll" to intercept network connections and browser data, such as passwords for sites you visit.

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and 8 it is "C:\Windows\System32".

Modifies computer settings

TrojanDownloader:Win32/Banload.AQV modifies your computer's security settings by making a number of changes to the registry.

It changes your computer's network address:

In subkey: HKLM\Software\Description\Microsoft\Rpc\UuidTemporaryData
Sets value: "NetworkAddress"
With data: "00 DB 7F A2 10 xx", where xx can be any hexadecimal number

It disables the LUA (Least Privileged User Account), also known as the "administrator in Admin Approval Mode" user type, by making the following registry modification:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"

It prevents BHOs from being loaded in Windows Explorer:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Sets value: "NoExplorer"
With data: "1"

Analysis by Daniel Radu