Home / malwarePDF  

TrojanDownloader:Win32/Banload.ZDT


First posted on 30 March 2012.
Source: Microsoft

Aliases :

TrojanDownloader:Win32/Banload.ZDT is also known as W32/Delfloader.B.gen!Eldorado (CA), Trojan horse Downloader.Banload.BUUC (AVG), TROJ_SWISYN.KZ (Trend Micro).

Explanation :

TrojanDownloader:Win32/Banload.ZDT is a trojan that may be distributed as a self-extracting executable that, while displaying an HTML page, also downloads and executes malware detected as variants of Win32/Bancos.


Top

TrojanDownloader:Win32/Banload.ZDT is a trojan that may be distributed as a self-extracting executable that, while displaying an HTML page, also downloads and executes malware detected as variants of Win32/Bancos.



Installation

TrojanDownloader:Win32/Banload.ZDT may be distributed as a self-extracting WinRAR archive. When run, it extracts the following files:

  • %ProgramData%\ini.bat - bat file that gets executed after files are extracted; it is used to automatically run the malware file "explore.exe"
  • %ProgramData%\dietadosexo.html - HTML page that contains an image with the heading "Dieta do Sexo"
  • %ProgramData%\explore.exe - TrojanDownloader:Win32/Banload.ZDT


It specified what applications, services, and commands executed every time Windows starts.

In subkey: HKLM\SYSTEM\ControlSet001\Control\Session Manager
Sets value: "BootExecute"
With data: "autocheck autochk *"

It also creates the following registry entry so that its copy automatically runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Puxpop"
With data: "%ProgramData%\explore.exe"



Payload

Downloads arbitrary files

TrojanDownloader:Win32/Banload.ZDT connects to the server "professorklinger.kinghost.net" to download arbitrary files as the folllowing:

  • liv.mp3 - saved as %ProgramData%\Wslive.exe
  • net.mp3 - saved as %ProgramData%\winet.exe
  • red.mp3 - saved as %ProgramData%\Sysred.exe


As of this writing, the server is no longer available.

Disables security software

TrojanDownloader:Win32/Banload.ZDT attempts to disable security products from the following companies by moving them into different subfolders of the Windows system folder:

  • AVG
  • Avira
  • Comodo
  • Kaspersky
  • McAfee
  • Norton
  • Panda
  • Symantec


It also attempts to do this for Microsoft Security Essentials.



Analysis by Daniel Radu

Last update 30 March 2012

 

TOP

Malware :

Family: