Backdoor.Win32.Banito.ayg

From Total Malware Info

It is a malicious program that provides an attacker with remote access to an infected machine. It is a Windows application (PE-EXE file). Its size is 221,184 bytes. It is written in C++.

MD5: C6FDE47C44105236CB6B5B8D7E7EA0B0

SHA1: 3DF44D093F480B6EC721D57CAAB311DCE7AAC9E9

Installation

Once launched, the backdoor scans the keys in the following branches of the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

In this case, the backdoor attempts to overwrite the contents of files being searched with contents of its original file. At the same time to counteract the anti-virus signature scanners, 4 bytes are modified in the created copy:

At the time of writing, the created copy was detected only with the heuristic analyzer of Kaspersky Anti-Virus ("HEUR: Backdoor.Win32.Generic").

Payload

Once launched, the trojan performs the following actions:

• The trojan creates a unique identifier with the following name to control uniqueness of its process:

{A37340FD-F043-41e3-9C16-2F2632387199}

• It attempts to unload the processes from the system memory whose names contain the substrings:

ad-watch
almon
alsvc
alusched
apvxdwin
ashdisp
ashmaisv
ashserv
ashwebsv
avcenter
avciman
avengine
avesvc
avgnt
avguard
avp
bdagent
bdmcon
caissdt
cavrid
cavtray
ccapp
ccetvm
cclaw
ccproxy
ccsetmgr
clamtray
clamwin
counter
dpasnt
drweb
firewalln
fsaw
fsguidll
fsm32
fspex
guardxkickoff
hsock
isafe
isafe
kav
kavpf
kpf4gui
kpf4ss
livesrv
mcage
mcdet
mcshi
mctsk
mcupd
mcupdm
mcvs
mcvss
mpeng
mpfag
mpfser
mpft
msascui
mscif
msco
msfw
mskage
msksr
msmps
msmsgs
mxtask
navapsvc
nip
nipsvc
njeeves
nod32krn
nod32kui
npfmsg2
npfsvice
nscsrvce
nvcoas
nvcsched
oascl
pavfnsvr
PXAgent
pxagent
pxcons
PXConsole
savadmins
savser
scfmanager
scfservice
scftray
sdhe
sndsrvc
spbbcsvc
spidernt
spiderui
spysw
sunprotect
sunserv
sunthreate
swdoct
symlcsvc
tsanti
vba32ldr
vir.exe
vrfw
vrmo
vsmon
vsserv
webproxy
webroot
winssno
wmiprv
xcommsvr
zanda
zlcli
zlh

• It establishes a connection with the following hosts:

221.218.165.209

After that, following an attacker's command, the backdoor downloads other malicious programs to the infected computer and execute them. The downloaded files are saved in the directory:

%APPDATA%\<rnd1>\<rnd2>

<rnd1>, <rnd2> - are random sequences of characters.

At the time of writing, the server with the specified IP-address did not work.

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Restart the computer in "Safe Mode" (at the beginning of loading press and hold «F8», then select «Safe Mode» at the Windows boot menu).

2. Check the contents of the files, registered in the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

3. Remove the copies, created by the backdoor.

4. Delete the following files:

%APPDATA%\<rnd1>\<rnd2>

5. Clear the Temporary Internet Files folder, which may contain infected files.

6. Perform a full system scan with an antivirus with updated databases.