Home / malwarePDF  

TrojanDownloader:Win32/Raemnk.A


First posted on 07 August 2012.
Source: Microsoft

Aliases :

TrojanDownloader:Win32/Raemnk.A is also known as Trojan.Win32.BHO.cfrx (Kaspersky).

Explanation :



TrojanDownloader:Win32/Banload.ANE is a trojan that downloads arbitrary files, which may be other malware, into your computer. It also changes certain computer settings.



Installation

TrojanDownloader:Win32/Banload.ANE may arrive in your computer with various file names.

It makes the following registry changes as part of its installation process:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID
Sets value: "(default)"
With data: "1"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\
Sets value: "(default)"
With data: "0"

In subkey: HKCU\AppEvents\Schemes\Apps\Explorer\Navigating
Sets value: ".Default"
With data: "0"



Payload

Changes your computer's settings

TrojanDownloader:Win32/Banload.ANE changes the following settings in your computer:

Disables Least user access (LUA):
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"

Prevents a Browser helper object (BHO) from being loaded in "Explorer.exe":
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
Sets value: "NoExplorer"
With data: "1"

Downloads arbitrary files

TrojanDownloader:Win32/Banload.ANE downloads files from the following servers using either port 80 or 1433:

  • pool-l.cxszqssh9vg7.us-east-1.rds.amazonaws.com
  • poolappl.cxszqssh9vg7.us-east-1.rds.amazonaws.com
  • updateppl0t.clbih04y9blg.eu-west-1.rds.amazonaws.com


It saves downloaded files as any of the following:

  • attf.exe
  • doc.intimacao.exe
  • iaf.exe
  • nmf.exe


As of this writing, the servers are currently unavailable.



Analysis by Edgardo Diaz

Last update 07 August 2012

 

TOP