Home / malware

PDF

Trojan-Downloader:W32/Banload.FVQ

First posted on 24 December 2008.
Source: SecurityHome

Aliases :

There are no other names known for Trojan-Downloader:W32/Banload.FVQ.

Explanation :

This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.

right]This trojan is hosted on the website http://www.cad-portal.com/includes/[...].php and executes automatically when the user visits the website.

This trojan downloads a another trojan onto the system. The downloaded trojan steals the user's internet banking information and is detected as Trojan-Spy.Banbra.RM.

Execution

Upon execution, the trojan creates the file:

• %temp%loloolol86.txt

This text file contains the text 'olha'.

The trojan then downloads and execute the binary files:

• %windir%system32innit226.exe
• %windir%system32msnmsgsr.exe

To distract the user from detecting any malicious activity, the trojan also download innocuous-looking files from:

• http://www.paeksan.com/technote/001.jpg
• http://www.paeksan.com/technote/002.jpg

The first JPEG file, 001.jpg, will be renamed to msnmsgsr.exe; the second JPEG file, 002.jpg, will be renamed to innit226.exe. Both are renamed using Windows command prompt and stored on %windir%system32. As these files share similar names with the malicious binary files, they help camouflage the trojan's activity.

Upon successful execution of the trojan, Internet Explorer will open the page http://www.orkut.com, a social networking site.

This trojan was written in Borland Delphi.

Last update 24 December 2008

 

TOP