Home / malwarePDF  

TrojanDownloader:BAT/Bancos.B


First posted on 22 May 2012.
Source: Microsoft

Aliases :

TrojanDownloader:BAT/Bancos.B is also known as Trojan-Downloader.BAT.Banload.ab (Kaspersky), PWS-Banker!hcx (McAfee).

Explanation :



TrojanDownloader:BAT/Bancos.B is a trojan component of the Win32/Bancos family. It lowers security settings for certain browsers and applications. It can also download arbitrary files into the computer.



Installation

TrojanDownloader:BAT/Bancos.B may have the file name "%TEMP%\antimalware.bat".



Payload

Modifies Internet Explorer settings

TrojanDownloader:BAT/Bancos.B modifies certain Internet Explorer settings:

Disables warning when receiving a bad certification:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "WarnonBadCertRecving"
With data: "0"

Disables Windows User Account Controls (UAC), which notifies the user when programs try to make changes to the computer:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
Sets value: "EnableLUA"
With data: "0"

Disables the use of HTTP 1.1:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "ProxyHttp1.1"
With data: "0"

Modifies Firefox settings

If Firefox is installed in your computer, TrojanDownloader:BAT/Bancos.B modifies the file "prefs.js" which contains Firefox settings:

  • Disables automatic and manual updating
  • Sets the autoupdate URL to null
  • Sets proxy to the automatic proxy configuration URL


Lowers Java security

TrojanDownloader:BAT/Bancos.B sets Java security so that it can run code even with disabled security.

Downloads arbitrary files

TrojanDownloader:BAT/Bancos.B connects to the servers located in the following IP addresses to download other files:

  • 113.30.103.253
  • 112.136.179.79


The downloaded file is saved as "%TEMP%\antimalware.exe". TrojanDownloader:BAT/Bancos.B also sets the following registry key so that its downloaded file automatically runs every time Windows starts:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Lives"
With data: "%TEMP%\antimalware.exe"



Analysis by Jaime Wong

Last update 22 May 2012

 

TOP

Malware :

Family: