Home / malware Trojan:Win32/Banload.AJI
First posted on 01 June 2012.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Banload.AJI.
Explanation :
Trojan:Win32/Banload.AJI is a member of Win32/Banload - a family of trojans that downloads other malware. Banload is usually used to download and install members of the Win32/Banker and Win32/Bancos families onto affected computers. Win32/Banker and Win32/Bancos are trojans that steal banking credentials and other sensitive data, and send it back to a remote attacker. Installation When executed, Trojan:Win32/Banload.AJI copies itself to %windir%\q63qv15rfzrv64.exe. The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "AutoMsnSecurity"
With data: "c:\windows\q63qv15rfzrv64.exe"
To subkey: HKCU\Software\Microsoft\windows\currentversion\run The malware creates the following files on an affected computer:
Payload Modifies browser settings Trojan:Win32/Banload.AJI modifies web browser settings on the infected computer by making the following registry modification:
- %windir%\q63qv15rfzrv64.log
- %windir%\q63qv15rfzrv64.txt
Adds value: "AutoConfigURL"
With data: ""
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Contacts remote hostThe malware may contact a remote host at www.cadastramentos.net using port 80. Commonly, malware may contact a remote host for the following purposes:
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
This malware description was produced and published using our automated analysis system's examination of file SHA1 f4a33faab64d9d08f2de940ecbbc8f0fa97e942b.Last update 01 June 2012
