TrojanDownloader:Win32/Banload.ARG

TrojanDownloader:Win32/Banload.ARG is a trojan that redirects your web browser so that when you attempt to access certain websites you are redirected to malicious sites that attempt to steal or "phish" your information.

To accomplish this, TrojanDownloader:Win32/Banload.ARG modifies system and browser settings that may leave your computer unsecured.

Installation

TrojanDownloader:Win32/Banload.ARG modifies browser settings that enable its malicious activity by making a number of registry modifications.

It provides a URL that may specify configuration settings for Internet Explorer:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "AutoConfigUrl"
With data: "www.mengao.<removed>.com.br">

In subkey: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel
Sets value: "AutoConfigUrl"
With data: "www.mengao.<removed>.com.br"

It disables the option to specify your own proxy for connecting to websites:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "ProxyEnable"
With data: "0"

It disables the notification of errors for poor or unsecured website security certificates, possibly to prevent warnings from appearing when you are redirected to malicious pages:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "WarnonBadCertRecving"
With data: "0"

If you have Mozilla Firefox installed on your computer, the trojan modifies the preferences file "%APPDATA%\Mozilla\Firefox\Profiles\prefs.js" to set the proxy to:

www.mengao.<removed>.com.br

Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista, 7, and 8, the default location is "C:\Users\<user>\AppData\Roaming".

The trojan adds the following URLs to the list of trusted sites - ensuring that you do not receive a warning from your Internet browser when visiting these sites:

• .com.br\*.bb
• .com.br\*.bradesco
• .com.br\*.hsbc
• .com.br\*.itau
• .com.br\*.santander

Payload

Redirects websites

TrojanDownloader:Win32/Banload.ARG may redirect the following safe websites to "www.baixar<removed>brasil.com.br:80" for phishing and/or information-stealing activities:

• bancobrasil.com.br
• bancodobrasil.com.br
• bb.com.br
• bradesco.com
• bradesco.com.br
• www.bancobrasil.com.br
• www.bancodobrasil.com.br
• www.bb.com.br
• www.bradesco.com.br
• www.itau.com.br

TrojanDownloader:Win32/Banload.ARG gathers information about your computer, including:

• Your user name
• Your account level (for example, if you have an administrator account)
• Your computer's MAC address (this is a unique code used to identify your computer on the network)
• Your computer's name

It sends this information to the following address:

max.brasildetodos.<removed>.com.br/la.php

Modifies system settings

TrojanDownloader:Win32/Banload.ARG also modifies system settings to prevent system restore, so that you cannot revert to a previous, uninfected state of Windows, by modifying the following registry entry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Sets value: "DisableSR"
With data: "1"

TrojanDownloader:Win32/Banload.ARG disables the LUA (Least Privileged User Account), also known as the "administrator in Admin Approval Mode" user type, by making the following registry modification:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"

Note: Disabling the LUA allows all applications to run by default with all administrative privileges, without prompting you for explicit consent.

Additional information

The trojan flushes the DNS cache to enable its redirection payload by running the following command:

• ipconfig /flushdns

Analysis by Daniel Radu