Home / malware TrojanDownloader:Win32/Banload.YU
First posted on 09 August 2011.
Source: SecurityHomeAliases :
TrojanDownloader:Win32/Banload.YU is also known as Trojan.DownLoader4.6370 (Dr.Web), Win32/TrojanDownloader.Autoit.NEU trojan (ESET), Trojan-Downloader.Win32.Banload (Ikarus).
Explanation :
TrojanDownloader:Win32/Banload.YU is a trojan that downloads and executes arbitrary files, which may be detected as variants of the Win32/Bancos.
Top
TrojanDownloader:Win32/Banload.YU is a trojan that downloads and executes arbitrary files, which may be detected as variants of the Win32/Bancos.
Installation
TrojanDownloader:Win32/Banload.YU creates a copy of itself using the following format:
- %UserProfile%\<random characters>\<random characters>.exe
For example:
- %UserProfile%\apytm\ojdidpyp.exe
It also creates a registry entry to make sure its copy executes at each Windows start, for example:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ojdidpyp.exe"
With data: "%UserProfile%/apytm/ojdidpyp.exe"
Payload
Download and execute arbitrary files
TrojanDownloader:Win32/Banload.YU contacts the following server to download and execute arbitrary files:
- premium.fileden.com
The files are downloaded into the same folder where TrojanDownloader:Win32/Banload.YU stores its copy. The files may be detected as variants of the Win32/Bancos family.
Analysis by Raymond Roberts
Last update 09 August 2011
