Home / malwarePDF  

TrojanDropper:Win32/Banload.PH


First posted on 18 August 2010.
Source: SecurityHome

Aliases :

TrojanDropper:Win32/Banload.PH is also known as Trojan.Heur.DP.yGW@ayUeUedG (BitDefender), Trojan.DownLoader.origin (Dr.Web).

Explanation :

TrojanDropper:Win32/Banload.PH is a RAR executable that installs other malware on the compromised computer.
Top

TrojanDropper:Win32/Banload.PH is a RAR executable that installs other malware on the compromised computer. Installation When executed, TrojanDropper:Win32/Banload.PH installs the following files in the <system folder>:

  • config\ mtransito.bat €“ detected as Trojan:BAT/Killav.AQ
  • config\ mtransito.exe - detected as TrojanDownloader:Win32/Banload.PH
  • config\ mtransito.pps €“ a harmless PowerPoint presentation
  • Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. The file, mtransito.bat, is used to launch the two other files, as well as to disable security applications as mentioned in the payload section. Payload Downloads and executes files When the file €œmtransito.exe€ is executed, it downloads the following three executable files from the domain webrio2010.com and saves them to the <system folder>:
  • IExplUpd.exe
  • SynNglp.exe
  • MsgrUpd.exe
  • The above files are detected as TrojanSpy:Win32/Bancos variants. Disables security applications The batch file component, €œmtransito.bat€ attempts to disable the AVG Internet Security application by renaming the files €œavgupd.exe€ and €œavgupd.dll€ to €œavgupd.prt€ and €œavgupd.pnt€ respectively.

    Analysis by Amir Fouda

    Last update 18 August 2010

     

    TOP