Systweak Spyware Library
Systweak Spyware Library text
More than 1126248 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
Trojan-Downloader.Banload.dox Analysis Report
Threat Submitted On: 4/14/2008 9:03:52 AM
Threat Analysed On: 4/14/2008 2:03:52 PM
Threat Updated On: 10/5/2009 5:51:25 PM
Type : Trojan-Downloader
Symptoms of Banload.dox
  • Connects to remote websites or FTP as and when there is an internet connection
  • Downloads and installs malicious files.
Information
Alias : Trojan-Downloader.Win32.Banload.dox
Md5 Hash : [d04e1718c9ffac2746730223a5946f65]
File Size : (12681 bytes)

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: windows32.exe
Path : %allusersprofile%\start menu\programs\startup
Md5Hash :373c497a4f97430766fced837ce94692 ( 1920368 bytes)
File: windows32.exe
Path : %systemdrive%\arquivos de programas
Md5Hash :( bytes)
File: arq.ini
Path : %windir%
Md5Hash :6e850997260b6521dd5850a0bd4298dd ( bytes)
File: windosapi32.exe
Path : %windir%
Md5Hash :373c497a4f97430766fced837ce94692 ( 1920368 bytes)
File: [randomname].exe
Path : %workingdir%
Md5Hash :d04e1718c9ffac2746730223a5946f65 ( 12681 bytes)
Also creates the following files on user's System which are also created by Genuine Software :-
Note:
These file(s) can be kept as they are also created by genuine Software.
File : reg_0001.txt
Path : %windir%\system32
Md5Hash :d41d8cd98f00b204e9800998ecf8427e ( 0 bytes)
File : winload.inf
Path : %windir%
Md5Hash :efcee83fe515667692c8e63525cd6fa5 ( 5 bytes)
The following Registry Values are added to the provided Registry Keys :-
Note:
Delete the added Values from the Key to remove Infection
|__ Value Added :
windows32 = "%SYSTEMDRIVE%\arquivos de programas\windows32.exe"
Creates the following child process(s) on execution:

services.exe

%windir%\windosapi32.exe

Tries to Download Files from the following links :-

http://gigofante.rbcmail.ru/flashcard/regserve.exe

http://h1.ripway.com/shotteste/arq.ini

Creates the Following MUTEX(s) on user's System:-
raspbfile
.
Tries To Connect to The Following Urls:-
Http_Version :http/1.1
82.204.219.230/flashcard/regserve.exe
Http_Version :http/1.1
216.218.135.131/shotteste/arq.ini
Tries To Connect's to the following IP Address(s) through UDP(User DataGram Protocal) :-

127.0.0.1

Copies the Following Files to Given Location :-

Copies :%windir%\windosapi32.exe

To : %allusersprofile%\menu iniciar\programas\inicializar\windows32.exe

Copies :%windir%\windosapi32.exe

To : %allusersprofile%\start menu\programs\startup\windows32.exe

Copies :%windir%\windosapi32.exe

To : %systemdrive%\arquivos de programas\windows32.exe

Moves the Following Files to Given Location :-
Moves :%windir%\downloaded program files\
To : %windir%\system32\gbiehuni.dll , gbiehcef.dll , gbiehabn.dll, gbiehabn.dll, scpsssh2.dll

NOTE:

1. %allusersprofile% Refers to the windows all users profile folder. By default it is 'C:\Documents and Settings\All Users'
2. %systemdrive% Refers to the windows System drive folder. By default it is 'C:\'
3. %windir% Refers to the windows root folder. By default it is 'C:\Windows'
4. %workingdir% Refers to the current directory in which user is working.

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.

Microsoft Gold Certified Partner

© Systweak Inc., 1999-2009 All rights reserved.