Home / malware TrojanDownloader:Win32/Bancos.AEW
First posted on 17 May 2012.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Bancos.AEW is also known as W32/Banker.FSWZ (Norman), Trojan.DL.Banload!Z1SnAcvR0Gc (VirusBuster), Downloader.Banload.BTHI (AVG), Win32/Spy.Banker.XIN trojan (ESET).
Explanation :
TrojanDownloader:Win32/Bancos.AEW is a trojan that downloads other malware, usually members of the Win32/Banker and Win32/Bancos families, into computers.
Win32/Banker and Win32/Bancos are trojans that steal banking credentials and other sensitive data.
Installation
When TrojanDownloader:Win32/Bancos.AEW runs, it creates the following file, which contains the folder in which other malware is to be downloaded:
%AppData%\idsys.txt
Payload
Downloads and runs arbitrary files
TrojanDownloader:Win32/Bancos.AEW connects to the following webpages and attempts to download files, which may be detected as members of the Win32/Banker or Win32/Bancos families:
- 187.33.36.106/<removed>/syscdy.html
- 187.33.36.106/<removed>/modules/modcdy.html
- 187.33.36.106/<removed>/modules/modcdy.html
- 200.98.135.219/<removed>/modules/syscda.html
- 200.98.137.182/<removed>/modules/syscdx.html
- 200.98.138.222/<removed>/modules/syscdx.html
- 200.98.139.139/<removed>/modules/syscdx.html
- 200.98.200.80/<removed>/ace/modules/syscdy.html
- 200.98.200.80/<removed>/evol/modules/syscdy.html
- 200.98.203.139/<removed>/modules/syscdx.html
If it successfully downloads a file from any of these webpages, it saves the file in the folder indicated in %AppData%\idsys.txt.
Analysis by Hyun Choi
Last update 17 May 2012
