Home / malwarePDF  

TrojanDownloader:Win32/Banload.AIB


First posted on 31 January 2013.
Source: Microsoft

Aliases :

TrojanDownloader:Win32/Banload.AIB is also known as Trojan.Win32.Genome.aaikq (Kaspersky), Trojan.ADH.2 (Symantec).

Explanation :



TrojanDownloader:Win32/Banload.AIB is a trojan that downloads and runs other malware. The Win32/Banload trojan downloads malware that is usually members of the Win32/Banker or Win32/Bancos families. These downloaded trojans steal banking credentials and other sensitive data, and send it back to a remote attacker.



Installation

As part of its installation process, TrojanDownloader:Win32/Banload.AIB creates the following files on your computer:

  • %Windir%\<file name>.bat
  • %Windir%\<file name>.exe
  • %Windir%\<file name>.pps


In the wild, we have observed <file name> as any of the following:

  • jesusemais
  • Salvacion
  • Salvitur


When it runs, TrojanDownloader:Win32/Banload.AIB loads the <file name>.bat file, which opens and displays the PowerPoint presentation <file name>.pps, at the same time running the executable file <file name>.exe in the background.



Payload

Downloads arbitrary files

TrojanDownloader:Win32/Banload.AIB downloads the following configuration file, which contains a list of locations from which to download other, potentially malicious, files:

<random number>/config.txt">http://dl.dropbox.com/u/52582137/<removed>.txt

The following is a list of files the trojan has been observed downloading:

  • camposbijus<removed>/purais/aliont.cdc
  • camposbijus<removed>/purais/criosres.cdc
  • camposbijus<removed>/purais/eliot.cdc
  • camposbijus<removed>/purais/helino.cdc
  • camposbijus<removed>/purais/krauser.cdc
  • camposbijus<removed>/purais/moria.cdc
  • camposbijus<removed>/purais/siones.cdc


Note: At the time of writing, these URLs were no longer available.

Once downloaded, TrojanDownloader:Win32/Banload.AIB may save these files as the following:

  • Helper.dll
  • Lardes.exe
  • Leader.exe
  • Milos.exe
  • Shuokl.exe
  • Slkyb.exe
  • Svtxyse.exe


Displays a PowerPoint presentation

In the wild, this trojan has been observed displaying a PowerPoint presentation, possibly to prevent you from noticing its presence.





Analysis by Jeong Mun

Last update 31 January 2013

 

TOP

Malware :

Family: