Skip to content

TROJ_BANLOAD.JMO

Overview

Malware type: Trojan

Aliases: No Alias Found

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

Low

Description: 

This Trojan may be downloaded from remote sites by other malware. It may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites. It may be downloaded unknowingly by a user when visiting certain malicious Web sites.

It gathers target email addresses from files with certain file name extensions. It saves all gathered information into a text file, which it then sends via File Transfer Protocol (FTP).

It connects to Web sites to download files, which are detected as TSPY_BANKER.MOA and TSPY_BANKER.MOB. As a result, malicious routines of the downloaded files are exhibited on the affected system.

For additional information about this threat, see:

Description created: Jan. 24, 2009 8:33:10 AM GMT -0800


Technical Details

File type: PE

Memory resident:  Yes

Size of malware: 376,021 Bytes

Initial samples received on: Jan 22, 2009

Payload 1: Steals information

Payload 2: Disables services

Payload 3: Downloads files

Details:

Arrival Details

This Trojan may be downloaded from remote site(s) by other malware.

It may be dropped by other malware.

It may be downloaded unknowingly by a user when visiting malicious Web site(s).

It may be downloaded unknowingly by a user when visiting the following malicious Web site(s):

  • http://{BLOCKED}erprizes.com/site/mte.gov.br/consulta/processo/despacho_118255209.html

Installation

This Trojan creates the following folder(s):

  • %System Root%\Download

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following copy(ies) of itself:

  • %System Root%\Download\arquivo.exe
  • %System Root%\Download\Update.exe

It drops the following component file(s):

  • %System Root%\Download\control.ctr

Propagation via Email

This Trojan gathers target email addresses from files with the following file name extension(s):

  • .dbx
  • .eml
  • .mai
  • .mbox
  • .mbx
  • .tbb
  • .wab

It saves the target email addresses into the file %System Root%\Download\{computer name}{random numbers}.txt. It then sends this text file via File Transfer Protocol (FTP). It uploads files to the following FTP site(s):

  • {BLOCKED}.{BLOCKED}.78.2

Download Routine

This Trojan connects to the following Web site(s):

  • http://{BLOCKED}erprizes.com/images/img003.jpg
  • http://{BLOCKED}erprizes.com/images/img004.jpg

It saves the downloaded file(s) as the following:

  • %System Root%\Download\msne.exe - detected as TSPY_BANKER.MOA
  • %System Root%\Download\windhelp32.exe - detected as TSPY_BANKER.MOB

It then executes the downloaded file(s). As a result, malicious routines of the downloaded files are exhibited on the affected system.

Other Details

This Trojan disables Internet Connection Sharing and Windows Firewall by executing the command net stop SharedAccess.

The downloaded file MSNE.EXE uses the following icon:

{Internet Explorer icon}

The downloaded file WINDHELP32.EXE uses the following icon:

{Windows update icon}

Affected Platforms

This Trojan runs on Windows 98, ME, NT, 2000, XP, and Server 2003.


Analysis By: Karl Dominguez


Solution

Minimum scan engine version needed: 8.700

Pattern file needed: 5.787.00

Pattern release date: Jan 22, 2009


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

For Windows ME and XP users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.


 Step 1: Identify and terminate files detected as TROJ_BANLOAD.JMO  [learn how]

*Note:

  1. For Windows 98 and ME users, Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
  2. If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
  3. If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

     Step 2: Search and delete this folder  [learn how]

    *Note: Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden folders in the search result.

    • %System Root%\Download

     Step 3: Scan your computer with your Trend Micro product to delete files detected as TROJ_BANLOAD.JMO, TSPY_BANKER.MOA, and TSPY_BANKER.MOB  

    *Note: If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

       



      Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.


      Connect with us on