Follow:

You have been re-routed to the TrojanDownloader:Win32/Banload.gen!B write up because TrojanDownloader%3aWin32%2fBanload.gen!B has been renamed to TrojanDownloader:Win32/Banload.gen!B
 

TrojanDownloader:Win32/Banload.gen!B


TrojanDownloader:Win32/Banload.gen!B is a generic detection for trojans that download additional malware. It usually downloads and executes trojans that attempt to steal banking information from the system.


What to do now

Manual removal is not recommended for this threat. Use Microsoft Security Essentials or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.

Threat behavior

TrojanDownloader:Win32/Banload.gen!B is a generic detection for trojans that download additional malware. It usually downloads and executes trojans that attempt to steal banking information from the system.
Installation
TrojanDownloader:Win32/Banload.gen!B drops files with random names in the root drive of the system. Files it has been known to drop are the following:
  • banco.100por1[1]
  • windowsito.txt
 
It then modifies the system registry so that its dropped file runs every time Windows starts:
 
Adds value: "Microsoft Internet Explorers"
With data: "<malware file>"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 
where <malware file> is the particular malware file name.
Payload
Modifies Internet Explorer Settings
TrojanDownloader:Win32/Banload.gen!B modifies the following registry to change the IE user agent setting:
 
Adds value: "Embedded Web Browser from: http://bsalsa.com/"
With data: "0"
To key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
 
Downloads Other Malware
TrojanDownloader:Win32/Banload.gen!B attempts to download and execute other files from remote servers, which may be detected as information-stealing trojans. It may connect to the Web site 'banco.100por1.com' to download these files.
 
Analysis by Shawn Wang

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The presence of the following registry modification:
    Added value: "Embedded Web Browser from: http://bsalsa.com/"
    With data: "0"
    To key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Mar 20, 2009
This entry was updated on: May 26, 2010

This threat is also detected as:
  • Mal/Banspy-F (Sophos)
  • Win32/Spy.Banker.QJZ (ESET)
  • Trojan-Spy.Win32.Agent.abuz (Kaspersky)
  • Infostealer.Bancos (Symantec)