TROJ_BANLOAD.HTY
RDN/PWS-Banker!bv (McAfee), W32/Banload.RXB!tr.dldr (Fortinet), a variant of Win32/TrojanDownloader.Banload.SAH trojan (ESET),
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Download Routine
This Trojan connects to the following website(s) to download and execute a malicious file:
- http://{BLOCKED}costa009.com/winmicro.gif
It saves the files it downloads using the following names:
- %AppDataLocal%\winmicro.zip
(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.)
It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.
NOTES:
In the same directory (%AppDataLocal%), it extracts the following contents of the .ZIP file:
- libmysql.dll
- winmicrosoft.exe