Home / malwarePDF  

TrojanDownloader:Win32/Banload.ADN


First posted on 19 January 2012.
Source: Microsoft

Aliases :

TrojanDownloader:Win32/Banload.ADN is also known as Trojan-Downloader.Win32.Banload.bozr (Kaspersky), Trojan.DL.Banload!VyXSOtj2/7A (VirusBuster), Trojan horse PSW.Banker6.IGP (AVG), TSPY_BANKER.SMY (Trend Micro).

Explanation :

TrojanDownloader:Win32/Banload.ADN is a member of Win32/Banload - a family of trojans that downloads other malware. Banload is usually used to download and install members of the Win32/Banker and Win32/Bancos families onto affected computers.

Win32/Banker and Win32/Bancos are trojans that steal banking credentials and other sensitive data, and send it back to a remote attacker.


Top

TrojanDownloader:Win32/Banload.ADN is a member of Win32/Banload - a family of trojans that downloads other malware. Banload is usually used to download and install members of the Win32/Banker and Win32/Bancos families onto affected computers.

Win32/Banker and Win32/Bancos are trojans that steal banking credentials and other sensitive data, and send it back to a remote attacker.



Installation

TrojanDownloader:Win32/Banload.ADN is usually distributed via compromised websites disguised as a webpage "\boleto.php". It may be distributed as a self-extracting archive together with component files that are designed to distract users when installing other malware onto the affected computer.

Below is a list of files contained in the self-extracting archive "camasultris.pps.exe":

  • sultra.bat
  • sultra.exe
  • sultra.pps
  • z-iconepps.ico


The file camasultris.pps.exe first executes sultra.bat; sultra.bat will then execute sultra.exe (which is the trojan downloader) and sultra.pps (which is a slide-show containing adult materials used to distract the user).

When TrojanDownloader:Win32/Banload.ADN is executed, it attempts to download arbitrary files to the infected computer, and saves them in the following directory:

%AppData%\bck.bck



Payload

Downloads and executes arbitrary files

TrojanDownloader:Win32/Banload.ADN connects to the following websites and attempts to download files, which may be detected as members of the TrojanSpy:Win32/Bancos family.

  • suporteremoto.kinghost.net/<BLOCKED>/<random_name>/bck.bck
  • silnikihonda.pl/<BLOCKED>/bck.bck


The downloaded files are saved to the %AppData% directory, then executed.



Analysis by Zarestel Ferrer

Last update 19 January 2012

 

TOP

Malware :

Family: