Threat behavior
TrojanDownloader:Win32/Banload.MS is a member of
Win32/Banload - Microsoft's detection for a family of trojans that downloads other malware. The downloaded malware are usually members of the
Win32/Banker family - trojans that steal banking credentials and other sensitive data, and send it back to a remote attacker.
Installation
TrojanDownloader:Win32/Banload.MS usually arrives in the system disguised as a screensaver. An example of a file name it may use is "fotodobeijos.scr".
It creates a mutex name with random characters, for example:
- f4GQOscNZn/NFKZhzkFG9uhKhdK3skMviagnUWlKE74MNm+Fj1dJpycGBik
Payload
Downloads and installs additional malware
When executed, TrojanDownloader:Win32/Banload.MS connects to a remote host to download and execute arbitrary files. For example, in the wild one variant has been observed to contact the following remote host for this purpose:
Downloaded files are saved and executed in the following location:
- C:\Arquivos de Programas\Windows Live\Messenger
and may use the following file names:
<random letters>.usr
<random letters>.dll
<random letters>.exe
<random letters>.cfg
For example:
vokpecwqjvxbzffm.usr
avokpecwqjvxbzffm.dll
tmlxbzetwizhnvja.exe
aecrpmdkaexftoyvv.cfg
Additional information
The malware may also display an image that is stored on a remote site. The same downloaded image is used by the malware as its icon. This may be done to hide the malware's actions and purpose from the user.
Analysis by Elda Dimakiling
Prevention
