TrojanDownloader:Win32/Adload.H is a trojan that downloads arbitrary files from remote websites.
Win32/Adload.H may be installed by other malware. To prevent additional instances of the trojan from executing, when run, the trojan creates a mutex with the same name as the trojan file name. The registry is modified to execute the trojan at each Windows start.
Adds value: "Taskman"
With data: "<path and file name of Win32/Adload.H>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The trojan may make additional changes in the registry related to the function of the trojan as in the following example:
Adds value: "International"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\DirectDraw\Types
Awaits communication via UDP port
The trojan may connect and await communication with a random UDP port (e.g. UDP 1048).
Downloads arbitrary programs
Win32/Adload.H attempts to retrieve a data file that instructs the trojan to download additional programs without user consent. In the wild, this trojan was observed connecting to the domain "newdonkey.net" to retrieve a small configuration file that contains file names the trojan could retrieve from a predefined remote website. If the trojan is unable to reach the primary domain, it attempts to connect to another domain named "suggestbar.net" to perform the same action.
Some example file names of retrieved executables include "b1ettk.exe", "rogne2.exe", "mt2uinit.exe", "joffzz2.exe" and so on.
Analysis by Patrik Vicol