Home / malware TrojanDownloader:Win32/Banload.AIB
First posted on 31 January 2013.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Banload.AIB is also known as Trojan.Win32.Genome.aaikq (Kaspersky), Trojan.ADH.2 (Symantec).
Explanation :
TrojanDownloader:Win32/Banload.AIB is a trojan that downloads and runs other malware. The Win32/Banload trojan downloads malware that is usually members of the Win32/Banker or Win32/Bancos families. These downloaded trojans steal banking credentials and other sensitive data, and send it back to a remote attacker.
Installation
As part of its installation process, TrojanDownloader:Win32/Banload.AIB creates the following files on your computer:
- %Windir%\<file name>.bat
- %Windir%\<file name>.exe
- %Windir%\<file name>.pps
In the wild, we have observed <file name> as any of the following:
- jesusemais
- Salvacion
- Salvitur
When it runs, TrojanDownloader:Win32/Banload.AIB loads the <file name>.bat file, which opens and displays the PowerPoint presentation <file name>.pps, at the same time running the executable file <file name>.exe in the background.
Payload
Downloads arbitrary files
TrojanDownloader:Win32/Banload.AIB downloads the following configuration file, which contains a list of locations from which to download other, potentially malicious, files:
<random number>/config.txt">http://dl.dropbox.com/u/52582137/<removed>.txt
The following is a list of files the trojan has been observed downloading:
- camposbijus<removed>/purais/aliont.cdc
- camposbijus<removed>/purais/criosres.cdc
- camposbijus<removed>/purais/eliot.cdc
- camposbijus<removed>/purais/helino.cdc
- camposbijus<removed>/purais/krauser.cdc
- camposbijus<removed>/purais/moria.cdc
- camposbijus<removed>/purais/siones.cdc
Note: At the time of writing, these URLs were no longer available.
Once downloaded, TrojanDownloader:Win32/Banload.AIB may save these files as the following:
- Helper.dll
- Lardes.exe
- Leader.exe
- Milos.exe
- Shuokl.exe
- Slkyb.exe
- Svtxyse.exe
Displays a PowerPoint presentation
In the wild, this trojan has been observed displaying a PowerPoint presentation, possibly to prevent you from noticing its presence.
Analysis by Jeong Mun
Last update 31 January 2013