Follow:

 

TrojanDownloader:Win32/Banload


TrojanDownloader:Win32/Banload is the Microsoft detection for a family of Trojans that downloads other malware. These downloaded malware are usually members of the Win32/Banker family; trojans that steal banking credentials and other sensitive data, and send it back to a remote attacker.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

TrojanDownloader:Win32/Banload is the Microsoft detection for a family of Trojans that downloads other malware. These downloaded malware are usually members of the Win32/Banker family; trojans that steal banking credentials and other sensitive data, and send it back to a remote attacker.
Installation
TrojanDownloader:Win32/Banload drops two files in the system, both of which are also detected as TrojanDownloader:Win32/Banload. Depending on the variant, the file names may vary, for example:
  • %TEMP%\drvrnet.exe
  • <system folder>\542745.dll
 
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
 
It then launches its dropped EXE file.
 
It also modifies the system registry so that its dropped EXE file appears to be a legitimate Windows file, for example:
Adds value: "drvrnet"
With data: "%TEMP%\drvrnet.exe"
To subkey: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\
Payload
Downloads and Installs Additional Malware
Files detected as TrojanDownloader:Win32/Banload can download other malware by connecting to remote servers, usually via HTTP or FTP. These downloaded malware are usually members of the Win32/Banker family; trojans that steal banking credentials and other sensitive data, and send it back to a remote attacker.
 
Modifies Internet Settings
TrojanDownloader:Win32/Banload modifies the system's Internet settings by modifying the system registry to bypass the network proxy setting:
Adds value: "ProxyBypass"
With value: "1"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
 
Analysis by Jireh Sanico

Symptoms

System Changes
The following system changes may indicate the presence of TrojanDownloader:Win32/Banload:
  • The presence of the following files:
    drvrnet.exe
    542745.dll
  • The presence of the following registry entry:
    HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\
    "drvrnet" = "%TEMP%\drvrnet.exe"

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.185.3823.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Jun 30, 2008
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Troj/Dwnldr-HEF (Sophos)
  • Trojan.Spy.Delf.NOS (BitDefender)
  • Trojan.Downloader-40206 (Clam AV)
  • Trojan-Downloader.Win32.Banload.ogx (Kaspersky)
  • Generic Downloader.ab (McAfee)
  • Downloader.Bancos (Symantec)