Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically



Win32/Banito.AE is a typical password stealing Backdoor for the Windows platform that attempts to steal passwords, the size is around 50 Kbytes for a uncompressed server and may vary depending with which packer the backdoor server was compressed. The Server Builder includes UPX runtime compression of the created server. The server executable will be around half of the file size then.

Installation and Autostart Techniques

Upon execution, the trojan copies itself into the windows folder with a predefined executable name which the hacker selects. By default this is "winhost32.exe". After successful copy the backdoor deletes the origin file.

The backdoor adds the following registry key to the registry to make sure that it runs every time windows is started:

HKCU\Software\Microsoft\Active Setup\Installed Components\{ CLASSID }
"StubPath" = "%WINDOWS%/{ Trojan Executable }"

This is called "ActiveX Startup" method.

Note: Newer versions of this backdoor might also add a "CurrentVersion\Run" entry. The ActiveX Key is freely editable, meaning that any number or text could be there.

The communication port where the backdoor is listening for attackers commands is freely configurable - the default port is 2122.

The Backdoor Server is able to display upon startup a faked messagebox. This Messagebox is freely configurable meaning it could display anything.

If the hacker enables this feature the default settings are:

Caption: "tb", Message: "Message Box", and the dialog icon is set by default to "error-icon".

Manager Modules

The Filemanager allows the hacker browsing local and network folders, downloading and uploading files, executing files, duplicating files, copying files, deleting files, moving files.

The Taskmanager shows basically the same information as the local taskmanager. The attacker can kill tasks on the local compromised machine.

Note: A interesting option is to manual run executables. The backdoor is then able to start other applications hidden on the computer (SW_HIDE) - even if they were not designed to run hidden. The attacker can optional input program arguments.

The Taskmanager shows basically the same information as the local taskmanager. The attacker can kill tasks on the local compromised machine.

The Processmanager displays the same information as the local taskmanager (tabulator processes) to the attacker. The attacker can kill processes on the local compromised machine.

The Registrymanager has all basic functionality of the windows integrated registry editor - Creating new Keys, Deleting Keys and Values, Assigning new Values.

The Servicemanager the attacker can here start and stop services, delete services and creating new services.

Misc Operations


System Information

The attacker can see all system related information about the compromised system. He can also reboot the system out of this dialog.

Webdownloader with this option the attacker can download files directly from the internet without having the need to start a separated web browser. The execution of this downloaded files is enabled by default, meaning a downloaded executable would start immediately after successful download to the compromised machine.

Messagebox The attacker can display a custom defined messagebox on a compromised system.

Will look like...

on a infected system.

Remote Shell this is basically a remote command line window for the attacker, he can do all things which are possible in a dos prompt window under windows (see example "Dir" in the screen shot) Cut, Copy, Paste and Selections are possible.

Socks4 Proxy the attacker can here start and stop a socks4 proxy.

Note: On a windows XP system with Service Pack 2 the integrated Firewall will notice this action.

Spying Components

The Image Grabber the image grabber can be configured to display the local screen of the compromised system to the attacker or the web cam picture if there is any web cam installed.

The Keylogger the backdoor is able to display actual keystrokes to the attacker.

The AIM (AOL Messenger) Logger the backdoor is able to spy and to interact with AIM

Other Details: This threat was programmed in Delphi and contains a UPX packer for optional recompressing generated server executables. Optional it is able to inject code into Explorer or into Internet Explorer to bypass Firewall Notifications.

History: Analysis and Write-up by: Michael St. Neitzel