Home / malware TrojanDownloader:Win32/Banload.AGK
First posted on 04 February 2012.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Banload.AGK is also known as W32/Banload.BFHV (Norman), Trojan.DL.Banload!T+pih9fG1iQ (VirusBuster), Downloader.Banload.BTDV (AVG), Win32/TrojanDownloader.Banload.QNU trojan (ESET), Trojan-Downloader.Banload (Ikarus).
Explanation :
TrojanDownloader:Win32/Banload.AGK is a trojan that downloads and executes other malware in the affected computer. These malware are usually variants of Win32/Bancos and Win32/Banker.
Top
TrojanDownloader:Win32/Banload.AGK is a trojan that downloads and executes other malware in the affected computer. These malware are usually variants of Win32/Bancos and Win32/Banker.
Installation
When executed, TrojanDownloader:Win32/Banload.AGK checks if the system language is Portuguese.
It then creates the file "infosapi.DLL" in any of the following folders. This file is not malicious and possibly serves as an infection marker.
- C:\Adobe7\Adobess
- C:\Adobe7\NEFXRepair
- C:\Adobe\NEFXRepair019
- C:\Adobe\NEFXRepair02
- C:\Adobe\WSansung
- C:\Adobe\WSansungw
- C:\Arquivos de programas\GbPlugin
- C:\Arquivos de programas\Google\Update\0.1.3.1
- C:\Arquivos de programas\Google\Update\0.1.3.4
- C:\Arquivos de programas\Google\Update\0.1.3.5
- C:\Arquivos de programas\Google\Update\0.1.3.7
- c:\boot\eng-us
- C:\Mobile\wcescom
- C:\Mobiles\Dacotf
- C:\Mobille\Sansung
- C:\Office\Outlook
- C:\TEMP
- C:\Winsys7\SysDatt
- C:\Winsys_\SysDate
- C:\Winsys_\SysDatt
Payload
Downloads other malware
If it has confirmed that the system language is Portugese, TrojanDownloader:Win32/Banload.AGK downloads other files, which may be detected as variants of Win32/Bancos and Win32/Banker.
Some of the servers it is known to download files from are the following:
- 200.<removed>.132.193
- agda<removed>stas.com.br
- arir<removed>uma.kit.net
- bale<removed>iosg.kit.net
- doma<removed>za.dominiotemporario.com
- drae<removed>rind.dominiotemporario.com
- foxb<removed>sr2011.kit.net
- gale<removed>a2006000.web501.kinghost.net
- game<removed>012.kit.net
- larc<removed>aicca
- metr<removed>s.kit.net
- mura<removed>a51.dominiotemporario.com
- newg<removed>par.web501.kinghost.net
- pila<removed>iberiefrios.com
- serr<removed>iasema.web519.kinghost.net
- term<removed>al-santi.kit.net
- zere<removed>ag.kit.net
It does not download files if the system language is not Portugese.
Deletes files and folders
TrojanDownloader:Win32/Banload.AGK deletes the following folders from the %ProgramFiles% folder, including all the subfolders and files within it, if found. These folders usually contain files related to security programs.
- AVG
- Alwil Software
- Alwil
- GbPlugin
- Grisoft
- Kaspersky Labs
- Kaspersky
- Norton AntiVirus
- Scpad
- Symantec AntiVirus
It also deletes the following files, if found:
- %Temp%\IconsDb\3DVision_280.dll
- %Temp%\IconsDb\3DVision_719.dll
- %Temp%\IconsDb\GoogleUpdat
- %Temp%\IconsDb\GoogleUpdatt
- %Temp%\IconsDb\Vision_290.exe
- %Temp%\IconsDb\arcsoft
- %Temp%\IconsDb\audiodg
- %Temp%\IconsDb\bottongifjp30082011
- %Temp%\IconsDb\cfgGoogleUpdat
- %Temp%\IconsDb\cfggbiehabnn
- %Temp%\IconsDb\dadfdf
- %Temp%\IconsDb\designer.exe
- %Temp%\IconsDb\dfad
- %Temp%\IconsDb\fafd
- %Temp%\IconsDb\gbieahbnn
- %Temp%\IconsDb\gbiehabnnpdf
- %Temp%\IconsDb\msocache.dll
- %Temp%\dbcache.cab
Connects to a remote server
TrojanDownloader:Win32/Banload.AGK connects to a remote server to send some information about the affected computer. It sends the following information:
- Computer name
- Currently installed antivirus program
- Currently logged on user
- Volume information
- Whether GbPlugin is installed or not
- Whether Scpad is installed or not
- MAC address
- Windows version
Analysis by Ric Robielos
Last update 04 February 2012
