Home / malware TrojanDownloader:Win32/Banload.AQV
First posted on 20 February 2013.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Banload.AQV is also known as Win32/TrojanDownloader.Banload.RKH (ESET), Luhe.Fiha.P (AVG), Mal/VB-ABHH (Sophos), TROJ_SPNR.09AH13 (Trend Micro), Trojan.Banload!4DA8 (Rising AV), Trojan.BhoSiggen.7008 (Dr.Web), Trojan.Win32.BHO.ckak (Kaspersky), W32/Obfuscated.X!genr (Norman), Win-Trojan/Banload.35840.DW (AhnLab).
Explanation :
To lure you into running it, TrojanDownloader:Win32/Banload.AQV uses icons that are used by Microsoft Office programs, such as the following:
When run, TrojanDownloader:Win32/Banload.AQV drops and deletes a file with a random filename to the %TEMP% folder. It uses this file to store some data (at the time of analysis we were unable to determine the exact nature of the data).
Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista, 7 and 8, the default location is "C:\Users\<user name>\AppData\Local\Temp".
Payload
Contacts remote hosts
TrojanDownloader:Win32/Banload.AQV attempts to connect to a remote server to download or send information, such as passwords and other sensitive personal information.
We have observed TrojanDownloader:Win32/Banload.AQV attempting to connect to the following servers:
- mintestc.<removed>.sa-east-1.rds.amazonaws.com, via TCP port 35350
- tmpmicroa.<removed>.eu-west-1.rds.amazonaws.com, via TCP port 27402
- tmpmicrod.<removed>.eu-west-1.rds.amazonaws.com, via TCP port 27402
Monitors network and browser data
TrojanDownloader:Win32/Banload.AQV attempts to drop and register itself as a browser helper object (BHO) in the <system folder> (for example, "<system folder>\HbIEMan.dll" to intercept network connections and browser data, such as passwords for sites you visit.
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and 8 it is "C:\Windows\System32".
Modifies computer settings
TrojanDownloader:Win32/Banload.AQV modifies your computer's security settings by making a number of changes to the registry.
It changes your computer's network address:
In subkey: HKLM\Software\Description\Microsoft\Rpc\UuidTemporaryData
Sets value: "NetworkAddress"
With data: "00 DB 7F A2 10 xx", where xx can be any hexadecimal number
It disables the LUA (Least Privileged User Account), also known as the "administrator in Admin Approval Mode" user type, by making the following registry modification:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"
It prevents BHOs from being loaded in Windows Explorer:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Sets value: "NoExplorer"
With data: "1"
Analysis by Daniel Radu
Last update 20 February 2013
