Home / malware TrojanDownloader:Win32/Adload.BR
First posted on 30 November 2010.
Source: SecurityHomeAliases :
TrojanDownloader:Win32/Adload.BR is also known as Zwanky Search (other), W32/FlvDirect.I (Norman).
Explanation :
TrojanDownloader:Win32/Adload.BR is a trojan that downloads and installs Win32/Zwangi from a specific website. The trojan may be bundled with third party software from the website "Happyscreensavers.com".
Top
TrojanDownloader:Win32/Adload.BR is a trojan that downloads and installs Win32/Zwangi from a specific website. InstallationThe trojan may be bundled with third party software from the website "Happyscreensavers.com". In the wild, this trojan was observed to be contained with an installation program also containing an installation program from "Relevant Knowledge" (listed as "online market research community" on their website "relevantknowledge.com"). When the NSIS installer is run, it drops and executes a file named "zwankysearch_stub.exe". This file is detected as TrojanDownloader:Win32/Adload.BR. Payload Downloads arbitrary filesTrojanDownloader:Win32/Adload.BR attempts to connect to the website "upgrade.zwankysearch.com" using TCP port 80 (HTTP) to retrieve the file "zwankysearch-setup.exe" using a data string as in the following example: <site>/install.aspx?b=zwankysearch The retrieved file is an installer for Win32/Zwangi and is detected as BrowserModifier:Win32/Zwangi. Additional InformationThe NSIS installer has a UTN-UserFirst-Object issued code signing certificate that was issued to "Happyscreensavers.com". The trojan component within the installer, detected as TrojanDownloader:Win32/Adload.BR, has UTN-UserFirst-Object issued code signing certificate that was issued to "ZwankySearch.com". Additionally, the "Relevant Knowledge" installer has a Thawte Code Signing CA issued to "TMRG, Inc".
Analysis by Wei LiLast update 30 November 2010
