Home / malware TrojanDownloader:Win32/Banload.ARZ
First posted on 28 March 2013.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Banload.ARZ is also known as Trojan.Win32.Spy (Ikarus).
Explanation :
Payload
Downloads other files
TrojanDownloader:Win32/Banload.ARZ checks if your computer is connected to the Internet. If so, it connects to the following servers to download a specific file:
- sourceforge.net
- xokorea.i.sohu.com
As of this writing, the file is unavailable.
It saves the file in your computer as "%TEMP%\SMSvcHost.exe", and creates the following registry entry so that the downloaded file automatically runs every time Windows starts:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "AhnLab V3Lite Update Process"
With data: "SMSvcHost.exe"
Deletes Battle.net account
It deletes your Battle.net account, if you have one, by deleting the data in the following registry subkey:
HKCU\SOFTWARE\Blizzard Entertainment\Battle.net\Identity
Allows processes to run with elevated privileges
It changes the following registry entry so that any elevated action is performed without prompting you:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "ConsentPromptBehaviorAdmin"
With data: "0"
Analysis by Patrik Vicol
Last update 28 March 2013
