Home / malwarePDF  

TrojanDownloader:Win32/Banload.SG


First posted on 13 September 2011.
Source: SecurityHome

Aliases :

TrojanDownloader:Win32/Banload.SG is also known as Downloader.Banload.BCTB (AVG), Win32/TrojanDownloader.Banload.PRB trojan (ESET).

Explanation :

TrojanDownloader:Win32/Banload.SG is a trojan that downloads and executes other files from a remote server.


Top

TrojanDownloader:Win32/Banload.SG is a trojan that downloads and executes other files from a remote server.



Installation

TrojanDownloader:Win32/Banload.SG may be installed by other malware or downloaded from the Internet. When run, it checks for the Windows System Language setting and it only continues to run if the language is Portugese; otherwise, it terminates itself.



Payload

Downloads and runs other files

TrojanDownloader:Win32/Banload.SG attempts to download binary files from the server located in "212.124.118.88".

Note that as of this writing, the server was unavailable.

It then saves the downloaded files as any of the following:

  • C:\systeam\sysn.cpl
  • C:\systeam\sysr.cpl
  • C:\systeam\sysp.cpl
  • C:\systeam\sysi.cpl


It then loads these files by running the following commands:

  • RunDLL32.exe Shell32.DLL, Control_RunDLL C:\systeam\sysn.cpl
  • RunDLL32.exe Shell32.DLL, Control_RunDLL C:\systeam\sysr.cpl
  • RunDLL32.exe Shell32.DLL, Control_RunDLL C:\systeam\sysr2.cpl
  • RunDLL32.exe Shell32.DLL, Control_RunDLL C:\systeam\sysp.cpl
  • RunDLL32.exe Shell32.DLL, Control_RunDLL C:\systeam\sysi.cpl


It then creates the following registry entries so that its downloaded files automatically run every time Windows starts:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "sysi"
With data: "C:\systeam\sysi.cpl"

or

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "sysn"
With data: "C:\systeam\sysn.cpl"

or

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "sysp"
With data: "C:\systeam\sysp.cpl"

or

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "sysr"
With data: "C:\systeam\sysr.cpl"

or

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "sysr2"
With data: "C:\systeam\sysr2.cpl"



Analysis by Jonathan San Jose

Last update 13 September 2011

 

TOP