Home / malware TrojanDownloader:Win32/Banload.ZDT
First posted on 30 March 2012.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Banload.ZDT is also known as W32/Delfloader.B.gen!Eldorado (CA), Trojan horse Downloader.Banload.BUUC (AVG), TROJ_SWISYN.KZ (Trend Micro).
Explanation :
TrojanDownloader:Win32/Banload.ZDT is a trojan that may be distributed as a self-extracting executable that, while displaying an HTML page, also downloads and executes malware detected as variants of Win32/Bancos.
Top
TrojanDownloader:Win32/Banload.ZDT is a trojan that may be distributed as a self-extracting executable that, while displaying an HTML page, also downloads and executes malware detected as variants of Win32/Bancos.
Installation
TrojanDownloader:Win32/Banload.ZDT may be distributed as a self-extracting WinRAR archive. When run, it extracts the following files:
- %ProgramData%\ini.bat - bat file that gets executed after files are extracted; it is used to automatically run the malware file "explore.exe"
- %ProgramData%\dietadosexo.html - HTML page that contains an image with the heading "Dieta do Sexo"
- %ProgramData%\explore.exe - TrojanDownloader:Win32/Banload.ZDT
It specified what applications, services, and commands executed every time Windows starts.
In subkey: HKLM\SYSTEM\ControlSet001\Control\Session Manager
Sets value: "BootExecute"
With data: "autocheck autochk *"
It also creates the following registry entry so that its copy automatically runs every time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Puxpop"
With data: "%ProgramData%\explore.exe"
Payload
Downloads arbitrary files
TrojanDownloader:Win32/Banload.ZDT connects to the server "professorklinger.kinghost.net" to download arbitrary files as the folllowing:
- liv.mp3 - saved as %ProgramData%\Wslive.exe
- net.mp3 - saved as %ProgramData%\winet.exe
- red.mp3 - saved as %ProgramData%\Sysred.exe
As of this writing, the server is no longer available.
Disables security software
TrojanDownloader:Win32/Banload.ZDT attempts to disable security products from the following companies by moving them into different subfolders of the Windows system folder:
- AVG
- Avira
- Comodo
- Kaspersky
- McAfee
- Norton
- Panda
- Symantec
It also attempts to do this for Microsoft Security Essentials.
Analysis by Daniel Radu
Last update 30 March 2012