Virus:TR/Banload.XY.2
Date discovered:20/01/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:14.438 Bytes
MD5 checksum:7cd461b1d4b7c8b04828bc9303be9c19
VDF version:6.33.01.34

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Kaspersky: Trojan-Spy.Win32.Delf.or


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Registry modification
   • Steals information


Right after execution the following information is displayed:


 Files  It deletes the following file:
   • %SYSDIR%\winte.html



The following files are created:

%malware execution directory%\sui.dll
%malware execution directory%\suact\004.act This is a non malicious text file with the following content:
   • 004.act

%malware execution directory%\suact\011.act This is a non malicious text file with the following content:
   • 011.act

%malware execution directory%\suact\013.act This is a non malicious text file with the following content:
   • 013.act

%malware execution directory%\suact\015.act This is a non malicious text file with the following content:
   • 015.act

%malware execution directory%\wint.ini
%SYSDIR%\winte.html
%malware execution directory%\suskn\004.sns
%malware execution directory%\suskn\011.sns
%malware execution directory%\suskn\013.sns
%malware execution directory%\suskn\015.sns
%SYSDIR%\ierror.rep This is a non malicious text file with the following content:
   • [%current date%][%current hour%]#PROGRAMM INSTALLED!#
     

%malware execution directory%\sei.dll
%malware execution directory%\sucontr\UVER.ctr This is a non malicious text file with the following content:
   • 1.12

 Registry It registers a browser helper object (BHO) by adding the following key:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}]


The following registry keys are added:

– [HKCR\CLSID\{3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}\InprocServer32]
   • @="%malware execution directory%\msupdate.dll"
   • "ThreadingModel"="Apartment"

– [HKCR\CLSID\{3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}\ProgID]
   • @="msupdate.Microsoft Update Service"

– [HKCR\CLSID\{3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}]
   • @="NETWORK SERVICE"

– [HKCR\msupdate.Microsoft Update Service]
   • @="NETWORK SERVICE"

– [HKCR\msupdate.Microsoft Update Service\Clsid]
   • @="{3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}"

 Backdoor Contact server:
All of the following:
   • http://oxygunn.com/aerodrom/**********
   • http://oxygunn.com/aerodrom/**********
   • http://oxygunn.com/aerodrom/**********

As a result it may send some information. This is done via the HTTP POST method using a PHP script.


Sends information about:
    • Current malware status
    • Collected information described in stealing section
    • System time

 Stealing It tries to steal the following information:

– A logging routine is started after one of the following websites are visited:
   • barclays.co.uk
   • hsbc.co.uk
   • olb2.nationet.com
   • deutsche-bank.de
   • nwolb.com
   • co-operativebank.co.uk
   • my.if.com
   • smile.co.uk
   • cahoot.com
   • webbank.openplan.co.uk
   • anbusiness.com
   • https://olb2.nationet.com/MyAccounts/
   • https://olb2.nationet.com
   • https://ibank.barclays.co.uk/olb/q/LoginPasscode
   • https://ibank.barclays.co.uk/olb/q/LoginMember.do
   • https://welcome6.co-operativebank.co.uk/CBIBSWeb/loginSpi.do
   • https://welcome6.co-operativebank.co.uk/CBIBSWeb/start.do

 File details Programming language:
 The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • ASPack

Description inserted by Iulia Diaconescu on Monday, March 20, 2006
Description updated by Iulia Diaconescu on Tuesday, March 21, 2006

Back . . . .