Home / malware TrojanDownloader:Win32/Banload.HW
First posted on 10 July 2009.
Source: SecurityHomeAliases :
TrojanDownloader:Win32/Banload.HW is also known as Also Known As:Worm.Win32.VB.aqr (Kaspersky), Troj/VB-EDZ (Sophos), Worm.VB.GIJA (VirusBuster), PWS-Banker!ch (McAfee), W32.SillyIM (Symantec).
Explanation :
TrojanDownloader:Win32/Banload.HW is a trojan that attempts to connect to specific Web sites to download a file, which may be other malware. For more information, refer to the TrojanDownloader:Win32/Banload family description.
Symptoms
System changesThe following system changes may indicate the presence of this malware:The presence of the following file:
C:windowshardware.comThe presence of the following registry modifications:
Added value: "Hardware"
With data: C:windowshardware.com
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
TrojanDownloader:Win32/Banload.HW is a trojan that attempts to connect to specific Web sites to download a file, which may be other malware.
Installation
TrojanDownloader:Win32/Banload.HW drops a copy of itself as the following:C:windowshardware.com It also modifies the registry entry so that it automatically runs every time Windows starts: Adds value: "Hardware"
With data: C:windowshardware.com
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
Payload
Downloads filesTrojanDownloader:Win32/Banload.HW a file from the following Web site:axiomsolution.com At the time of this writing, the file it attempts to access is no longer available. TrojanDownloader:Win32/Banload.HW also attempts to connect to a page in the following site, possibly to download other files:n0xx10.260mb.com For more information, refer to the TrojanDownloader:Win32/Banload family description.
Analysis by Francis Allan Tan SengLast update 10 July 2009
