Alert level

TrojanDownloader:Win32/Banload


Encyclopedia entry
Updated: Jun 30, 2008  |  Published: Jun 30, 2008

Aliases
  • Troj/Dwnldr-HEF (Sophos)
  • Trojan.Spy.Delf.NOS (BitDefender)
  • Trojan.Downloader-40206 (Clam AV)
  • Trojan-Downloader.Win32.Banload.ogx (Kaspersky)
  • Generic Downloader.ab (McAfee)
  • Downloader.Bancos (Symantec)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.71.240.0
Released: Nov 25, 2009 		Detection initially created:
Definition: 1.45.287.0
Released: Oct 07, 2008

Summary

TrojanDownloader:Win32/Banload is the Microsoft detection for a family of Trojans that downloads other malware. These downloaded malware are usually members of the Win32/Banker family; trojans that steal banking credentials and other sensitive data, and send it back to a remote attacker.

Top

Symptoms

System Changes
The following system changes may indicate the presence of TrojanDownloader:Win32/Banload:
  • The presence of the following files:
    drvrnet.exe
    542745.dll
  • The presence of the following registry entry:
    HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\
    "drvrnet" = "%TEMP%\drvrnet.exe"

Top

Technical Information (Analysis)

TrojanDownloader:Win32/Banload is the Microsoft detection for a family of Trojans that downloads other malware. These downloaded malware are usually members of the Win32/Banker family; trojans that steal banking credentials and other sensitive data, and send it back to a remote attacker.
Installation
TrojanDownloader:Win32/Banload drops two files in the system, both of which are also detected as TrojanDownloader:Win32/Banload. Depending on the variant, the file names may vary, for example:
  • %TEMP%\drvrnet.exe
  • <system folder>\542745.dll
 
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
 
It then launches its dropped EXE file.
 
It also modifies the system registry so that its dropped EXE file appears to be a legitimate Windows file, for example:
Adds value: "drvrnet"
With data: "%TEMP%\drvrnet.exe"
To subkey: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\
Payload
Downloads and Installs Additional Malware
Files detected as TrojanDownloader:Win32/Banload can download other malware by connecting to remote servers, usually via HTTP or FTP. These downloaded malware are usually members of the Win32/Banker family; trojans that steal banking credentials and other sensitive data, and send it back to a remote attacker.
 
Modifies Internet Settings
TrojanDownloader:Win32/Banload modifies the system's Internet settings by modifying the system registry to bypass the network proxy setting:
Adds value: "ProxyBypass"
With value: "1"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
 
Analysis by Jireh Sanico

Top

Prevention

Take the following steps to help prevent infection on your system:
  • Enable a firewall on your computer.
  • Get the latest computer updates.
  • Use up-to-date antivirus software.
  • Use caution with attachments and file transfers.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
  1. Click Start, and click Control Panel.
  2. Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
  3. Click Change Windows Firewall Settings.
  4. Select On.
  5. Click OK.
To turn on the Windows Firewall in Windows Vista
  1. Click Start, and click Control Panel.
  2. Click Security.
  3. Click Turn Windows Firewall on or off.
  4. Select On.
  5. Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
  1. Click Start, and click Control Panel
  2. Click System.
  3. Click Automatic Updates.
  4. Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
Use caution with attachments and file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources.  Use extreme caution when accepting file transfers from known or unknown sources.

Top

Recovery

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft online scanner (http://safety.live.com). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Top