Home / malware TrojanDownloader:Win32/Raemnk.A
First posted on 07 August 2012.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Raemnk.A is also known as Trojan.Win32.BHO.cfrx (Kaspersky).
Explanation :
TrojanDownloader:Win32/Banload.ANE is a trojan that downloads arbitrary files, which may be other malware, into your computer. It also changes certain computer settings.
Installation
TrojanDownloader:Win32/Banload.ANE may arrive in your computer with various file names.
It makes the following registry changes as part of its installation process:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID
Sets value: "(default)"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\
Sets value: "(default)"
With data: "0"
In subkey: HKCU\AppEvents\Schemes\Apps\Explorer\Navigating
Sets value: ".Default"
With data: "0"
Payload
Changes your computer's settings
TrojanDownloader:Win32/Banload.ANE changes the following settings in your computer:
Disables Least user access (LUA):
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"
Prevents a Browser helper object (BHO) from being loaded in "Explorer.exe":
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
Sets value: "NoExplorer"
With data: "1"
Downloads arbitrary files
TrojanDownloader:Win32/Banload.ANE downloads files from the following servers using either port 80 or 1433:
- pool-l.cxszqssh9vg7.us-east-1.rds.amazonaws.com
- poolappl.cxszqssh9vg7.us-east-1.rds.amazonaws.com
- updateppl0t.clbih04y9blg.eu-west-1.rds.amazonaws.com
It saves downloaded files as any of the following:
- attf.exe
- doc.intimacao.exe
- iaf.exe
- nmf.exe
As of this writing, the servers are currently unavailable.
Analysis by Edgardo Diaz
Last update 07 August 2012