Win32/TrojanDownloader.Banload [Threat Name] go to Threat

Win32/TrojanDownloader.Banload.QDF [Threat Variant Name]

Category trojan
Size 39489 B
Detection created May 03, 2011
Detection database version 6091
Aliases Trojan.ADH.2 (Symantec)
Short description

Win32/TrojanDownloader.Banload.QDF is a trojan which tries to download other malware from the Internet. The trojan collects information used to access certain sites. The file is run-time compressed using UPX .

Installation

The trojan does not create any copies of itself.


The trojan contains a list of URLs.


It tries to download several files from the addresses. The HTTP protocol is used.


These are stored in the following locations:

  • %windir%\­WindowsInstaller.dll (816128 B)
  • %windir%\­reg.exe (472576 B)
  • %windir%\­orbit.exe (863744 B)

The trojan registers the file "%windir%\WindowsInstaller.dll" as a BHO module in Microsoft Internet Explorer .


The following Registry entries are created:

  • [HKEY_CURRENT_USER\­CLSID\­{CD26C395-6415-493A-93C2-19C9AD2C5652}\­InprocServer32]
    • "Default" = "%windir%\­WindowsInstaller.dll"
    • "ThreadingModel" = "Apartment"
Information stealing

Win32/TrojanDownloader.Banload.QDF is a trojan that steals passwords and other sensitive information.


The trojan may redirect the user to the attacker's web sites.


The trojan displays the following fake dialog boxes:


The goal of the malware is to persuade the user to fill in personal information.


The following information is collected:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • computer name
  • Internet Explorer version
  • information about the operating system and system settings

The trojan attempts to send gathered information to a remote machine.


The trojan sends the information via e-mail.

Other information

The trojan can be used for sending spam.


The trojan may create the following files:

  • c:\­managermsn.txt
  • %windir%\­log.bat

Please enable Javascript to ensure correct displaying of this content and refresh this page.