Threat behavior
TrojanDownloader:Win32/Banload is the Microsoft detection for a family of Trojans that downloads other malware. These downloaded malware are usually members of the
Win32/Banker family; trojans that steal banking credentials and other sensitive data, and send it back to a remote attacker.
Installation
TrojanDownloader:Win32/Banload drops two files in the system, both of which are also detected as TrojanDownloader:Win32/Banload. Depending on the variant, the file names may vary, for example:
- %TEMP%\drvrnet.exe
- <system folder>\542745.dll
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It then launches its dropped EXE file.
It also modifies the system registry so that its dropped EXE file appears to be a legitimate Windows file, for example:
Adds value: "drvrnet"
With data: "%TEMP%\drvrnet.exe"
To subkey: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\
Payload
Downloads and Installs Additional MalwareFiles detected as TrojanDownloader:Win32/Banload can download other malware by connecting to remote servers, usually via HTTP or FTP. These downloaded malware are usually members of the
Win32/Banker family; trojans that steal banking credentials and other sensitive data, and send it back to a remote attacker.
Modifies Internet Settings
TrojanDownloader:Win32/Banload modifies the system's Internet settings by modifying the system registry to bypass the network proxy setting:
Adds value: "ProxyBypass"
With value: "1"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
Analysis by Jireh Sanico
Prevention
