Remove banload.dwh - Spyware Removal Information

More than 1126248 spyware signatures and growing

Spywarelib Search

Search in:

Spywares

Files

Md5

Registry

Trojan-Downloader.banload.dwh Analysis Report

Threat Submitted On: 1/30/2008 3:38:54 AM

Threat Analysed On: 1/30/2008 8:38:54 AM

Threat Updated On: 10/6/2009 1:55:31 AM

Type : Trojan-Downloader

Symptoms of banload.dwh

Connects to remote websites or FTP as and when there is an internet connection
Downloads and installs malicious files.

Removal Recommended (Click here to remove automatically)

Removal Recommended

Information

Alias : trojan-downloader.win32.banload.dwh

Md5 Hash : [ca325936613f1029abcae0fd1d2845c9]

File Size : (25092 bytes)

Technical Details

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System

Note:

Delete the following Files to remove Infection

File: f482c95f83f1b59228f1b1e720f2edf1
Path : %userprofile%\application data\microsoft\cryptneturlcache\content
Md5Hash :1abfda967cb4f5b50e72a0bea7749115 ( 70226 bytes)

File: f482c95f83f1b59228f1b1e720f2edf1
Path : %userprofile%\application data\microsoft\cryptneturlcache\metadata
Md5Hash :a923770fd5195f27d5d78f8a5cedcf7b ( 128 bytes)

File: [randomname].exe
Path : %workingdir%

	Md5Hash :


		ca325936613f1029abcae0fd1d2845c9 ( 25092 bytes)


		f0994ca1e2d0f5b4430adc82979c0b65 ( 25088 bytes)

Also creates the following files on user's System which are also created by Genuine Software :-

Note:

These file(s) can be kept as they are also created by genuine Software.

File : 60e31627fda0a46932b0e5948949f2a5
Path : %userprofile%\application data\microsoft\cryptneturlcache\content

	Md5Hash :


		12df8a16216c59ea2f020898049fed1c ( 828 bytes)


		de7fdc88a674f4011708a3f4974ef47f ( 758 bytes)

File : a8faba189db7d25fba7cac806625fd30
Path : %userprofile%\application data\microsoft\cryptneturlcache\content

	Md5Hash :


		1ebce39323c98735d43c2c8561618694 ( 66832 bytes)


		d58b1527e333cbe2a253cd848c7b2dcb ( 71941 bytes)

File : f482c95f83f1b59228f1b1e720f2edf1
Path : %userprofile%\application data\microsoft\cryptneturlcache\content
Md5Hash :446841e71a0c0dd457b7778ef75bf5a7 ( 70226 bytes)

File : 60e31627fda0a46932b0e5948949f2a5
Path : %userprofile%\application data\microsoft\cryptneturlcache\metadata

	Md5Hash :


		c4faf0a5e4ff33c46b91ed40d78dfe0a ( 94 bytes)


		f72e60a94a6a537a250c31b6ec408ae1 ( 94 bytes)

File : a8faba189db7d25fba7cac806625fd30
Path : %userprofile%\application data\microsoft\cryptneturlcache\metadata

	Md5Hash :


		0d0c12f8d376ed794edcc71243b03e58 ( 124 bytes)


		20ef3c69556c6e1ee914c5813f658e6f ( 124 bytes)

File : f482c95f83f1b59228f1b1e720f2edf1
Path : %userprofile%\application data\microsoft\cryptneturlcache\metadata
Md5Hash :021e6aea188949e10ea0faae38a59518 ( 128 bytes)

File : desktop.ini
Path : %userprofile%\favorites
Md5Hash :fc2bf37169c033a08c1fd7680193cce2 ( 122 bytes)

File : msimgsiz.dat
Path : %userprofile%\local settings\application data\microsoft\internet explorer

	Md5Hash :


		31a8898f692656d156079bdc86adcbf7 ( 16384 bytes)


		4b7c9da577f234eba4e4d346896b9962 ( 16384 bytes)

File : desktop.ini
Path : %userprofile%\local settings\history
Md5Hash :d332ce83b166d5c244d22587ad75aac4 ( 113 bytes)

File : desktop.ini
Path : %userprofile%\local settings\temporary internet files
Md5Hash :4a3deb274bb5f0212c2419d3d8d08612 ( 67 bytes)

File : xt132y.exe
Path : %windir%\temp
Md5Hash :23d6b92bc7eb100fc1294e6b124b7e75 ( 1635 bytes)

The following Registry Values are added to the provided Registry Keys which are also created by Genuine Software :-

Note:

These Values can be left as they are also created by legitimate Software :-

Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication

|__ Value Added :

Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication

|__ Value Added :

name

Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

|__ Value Added :

filename0

Creates the following child process(s) on execution:

%programfiles%\internet explorer\iexplore.exe -nohome

services.exe

%windir%\temp\xt132y.exe

Creates the Following MUTEX(s) on user's System:-

kdndamuw

raspbfile

shell.cmrupidllist

msratingmutex

ctf.lbes.mutexdefaults-1-5-21-24353318-3302364644-979050433-1010

ctf.compart.mutexdefaults-1-5-21-24353318-3302364644-979050433-1010

ctf.asm.mutexdefaults-1-5-21-24353318-3302364644-979050433-1010

ctf.layouts.mutexdefaults-1-5-21-24353318-3302364644-979050433-1010

ctf.tmd.mutexdefaults-1-5-21-24353318-3302364644-979050433-1010

msimgsizecachemutex

ddrawwindowlistmutex

ddrawdriverobjectlistmutex

__ddrawexclmode__

__ddrawcheckexclmode__

_!shmsfthistory!_

Tries To Connect to The Following Urls:-

Http_Version :http/1.1

200.170.93.142/novo.exe

Http_Version :http/1.1

200.142.128.18/

Http_Version :http/1.1

200.142.128.18/portal/home.php

Http_Version :http/1.1

200.142.128.18/_sys/_inc/portal_vivo.js

Http_Version :http/1.1

200.142.128.18/_sys/_css/novo_style.css

Http_Version :http/1.1

200.142.128.18/_sys/_inc/styleprint.css

Http_Version :http/1.1

200.142.128.18/_sys/_inc/style.css

Http_Version :http/1.1

200.142.128.18/_sys/_inc/stylelarge.css

Http_Version :http/1.1

200.142.128.18/_sys/_inc/stylemedium.css

Http_Version :http/1.1

200.142.128.18/_sys/_inc/ac_runactivecontent.js

Http_Version :http/1.1

200.142.128.18/_sys/_js/javascript.js

Http_Version :http/1.1

200.142.128.18/_sys/_img/btn_mn_servicos.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/btn_mn_planos.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/btn_mn_planos_on.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/btn_mn_atendimento.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/spacer.gif

Http_Version :http/1.1

200.142.128.18/_sys/_img/header_bt_home.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/header_bt_separador.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/header_fundo_vivo_online_0066cc.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_men/header/0066cc_vivo_voce_on.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_men/header/vivo_empresas_off.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_men/header/atendimento_off.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_men/header/left.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_men/header/separador.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_men/header_vivo_voce/planos_off.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_men/header_vivo_voce/recarga_off.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/risco_celulares.gif

Http_Version :http/1.1

200.142.128.18/_sys/_img/tit_atalhos.gif

Http_Version :http/1.1

200.142.128.18/_sys/_img/tit_recarga.gif

Http_Version :http/1.1

200.142.128.18/_sys/_img/tit_vivo_escolha_90.gif

Http_Version :http/1.1

200.142.128.18/_sys/_img/tit_vivo_pre_boa_hora.gif

Http_Version :http/1.1

200.142.128.18/_sys/_img/tit_vivo_controle.gif

Http_Version :http/1.1

200.142.128.18/_sys/_img/destaque_01.gif

Http_Version :http/1.1

200.142.128.18/_sys/_img/bg_caixa01.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/tit_vivo_zero_centavo.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/bg_caixa_01.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/bg_caixa04.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/btn_mn_servicos_on.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/btn_mn_promocoes.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/btn_mn_promocoes_on.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_men/footer/footer_bullet.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_men/footer/footer_vivo_0066cc.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_men/footer/footer_copyright.jpg

Http_Version :http/1.1

122.252.138.70/pub/shockwave/cabs/flash/swflash.cab

Http_Version :http/1.1

122.252.138.70/get/shockwave/cabs/flash/swflash.cab

Http_Version :http/1.1

200.142.128.18/_sys/_img/btn_mn_atendimento_on.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/header_bt_cobertura_roaming.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/header_mapa_do_site.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/header_bt_ok_0066cc.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_men/header/vivo_jovem_off.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_men/header/institucional_off.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/header_2n_linha.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_men/header_vivo_voce/celulares_off.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_men/header_vivo_voce/promocoes_off.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_men/header_vivo_voce/servicos_off.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_men/header_vivo_voce/programadepontos_off.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_men/header/right.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/home_servicos_titulo_atencao.gif

Http_Version :http/1.1

200.142.128.18/_sys/_img/bg_coluna_home_01.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/img_home_vivocinema.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/bullet_atalhos.gif

Http_Version :http/1.1

200.142.128.18/_sys/_img/btn_vivo_empresas.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/btn_venha_para_vivo.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/modelo_home_0066cc.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/tit_traga_amigo.gif

Http_Version :http/1.1

200.142.128.18/_sys/_img/home_promocoes_titulo_vivo3em1.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/bg_jovem.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/tit_vivo_online_rx.gif

Http_Version :http/1.1

125.23.216.203/pub/shockwave/cabs/flash/swflash.cab

Http_Version :http/1.1

125.23.216.203/get/shockwave/cabs/flash/swflash.cab

Http_Version :http/1.1

199.7.51.190/pca3.crl

Http_Version :http/1.1

199.7.51.190/class3codesigning2001.crl

Http_Version :http/1.1

199.7.54.190/csc3-2004.crl

Http_Version :http/1.1

200.142.128.18/_sys/_img/tit_sua_conta.gif

Http_Version :http/1.1

200.142.128.18/_sys/_promocoes/img_promo_dest_605.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/bg_loja.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_mmi/_swf/tv_home_blackberry_copiloto.swf

Http_Version :http/1.1

200.142.128.18/_sys/_mmi/_swf/tv_home_windowslive.swf

Http_Version :http/1.1

200.142.128.18/_sys/_img/tit_duvidas_rx.gif

Http_Version :http/1.1

200.142.128.18/_sys/_img/destaque_02.gif

Http_Version :http/1.1

200.142.128.18/_sys/_men/footer/footer_fundo.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_mmi/tv_homefull.swf?1207707336906

Http_Version :http/1.1

200.142.128.18/enquete/index.php?url=www.vivo.com.br

Http_Version :http/1.1

200.142.128.18/_sys/_mmi/sky_home_lojavirtual_080209.swf?1207707360812

Http_Version :http/1.1

200.142.128.18/_sys/_mmi/_swf/tv_home_consumidor_moderno_nacional.swf

Http_Version :http/1.1

200.142.128.18/_sys/_img/ico_motorola_z3.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/ico_nokia_n73.jpg

Http_Version :http/1.1

200.142.128.18/enquete/_img/vivo_enquete_03.jpg

Http_Version :http/1.1

200.142.128.18/enquete/_img/vivo_enquete_07.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_men/footer/footer_bottom.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_xmldata/home/modelo.php

Http_Version :http/1.1

200.142.128.18/_sys/_img/ico_sony_w610.jpg

Http_Version :http/1.1

200.142.128.18/_sys/_img/ico_lg_mg_230.jpg

Tries To Connect's to the following IP Address(s) through UDP(User DataGram Protocal) :-

127.0.0.1

NOTE:

1. %userprofile% Refers to the windows current user's profile folder. By default it is 'C:\Documents and Settings\[user]'
2. %workingdir% Refers to the current directory in which user is working.
3. %windir% Refers to the windows root folder. By default it is 'C:\Windows'

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.