TROJ_BANLOAD.HVT
TrojanDownloader:Win32/Small.gen!AP (Microsoft), Trojan-Downloader.Win32.Agent.xzny (Kaspersky), Trojan.FakeAV (Symantec)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Download Routine
This Trojan connects to the following URL(s) to download its component file(s):
- http://{BLOCKED}b.org/photos/zp-core/images/dire_expless_300.jpg
It saves the files it downloads using the following names:
- %Application Data%\DIRE_EXPLESS_300.EXE
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}o.gl/CKGAc
- http://4.bp.{BLOCKED}ot.com/_h9uXx-uszcE/SkC4s7jm55I/AAAAAAAAD6w/xOd7BCoVCQs/s400/3+CORREIO.jpg
NOTES:
This Trojan executes the downloaded file.