Home / malware TrojanDownloader:Win32/Banload.ARY
First posted on 30 April 2013.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Banload.ARY is also known as Downloader/Win32.Banload (AhnLab), Trojan horse Downloader.Banload.CLEL (AVG), Win32/TrojanDownloader.Banload.RXB trojan (ESET), Trojan-Downloader.Win32.Banload (Ikarus), RDN/PWS-Banker!bj (McAfee), Mal/Banload-AB (Sophos).
Explanation :
Installation
This trojan might be dropped or downloaded into your computer by other malware. It usually has the file extension .CPL.
Payload
Downloads other malware
This trojan downloads a .ZIP file into your computer as "%APPDATA%\temp.zip". It might download this file from the website "informakl.p.ht" through port 80 or port 1433.
It then extracts the contents of this .ZIP file using a harcoded password. The file contained within the .ZIP file is usually detected as a member of the Win32/Bancos family and might have any of these file names:
- libmysql.dll
- lock.txt
- resolver.exe
- skypphone.exe
- uber.txt
TrojanDownloader:Win32/Banload.ARY then makes the following change in your system registry, so that the extracted file automatically runs every time Windows starts:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "inicializar"
With data: "%AppData%\<malware name>"
Steals sensitive information
This trojan might steal information about your computer, such as the computer name, user name, Windows version, and so on. It then sends this information to a remote server.
Analysis by Alden Pornasdoro
Last update 30 April 2013
