Aliases: W32/Banleed
Variants: W32.Banleed.b

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Slow
Geographical info: Europe, Some parts of North and South America
Removal: Easy
Platform: W32
Discovered: 20 Apr 2006
Damage: Low

Characteristics: The W32.Banleed worm is a network aware worm that can spread on shared folders and drives. The main task of this worm is to steal personal accounts and information when the user of a compromised machine logs on to a bank website.

More details about W32.Banleed.A

According to some reports, upon successful execution to the compromised computer, the worm w32.Banleed will first copy itself in the C:\ windows\ system folder as the file system.exe. In the event that the file C:\ halt.txt is detected by the worm in the system, it will halt its execution. If the halt.txt file is not present, the worm will add certain registry subkey values in order to allow its automatic execution along with Windows at startup. The worm will then create and run the batch file C:\ Windows\ system.bat to enumerate every host in the network shares of the compromised computer. It will then create in the C:\ windows\ folder the files view.txt which is the output of the file system.bat, maq.txt which is the list of network shares hosts, and the okey.txt which is a clean .txt file. The W32.Banleed worm will try to propagate across the local network shares by replicating its code on the Startup folder of all detected remote machines. It will also attempt to copy its executable file in the \[NETWORK_HOST]\ C$\ Documents and Settings\ All Users\ Menu Iniciar\ Programas\ Inicializar remote folder. The worm reportedly utilizes a hardcoded path when replicating itself so that it will only function in Spanish/Brazilian Windows systems.

This worm can also update its code by retrieving a configuration file from the website http://www.rulandocash.net/upd/upd[REMOVED which will contain the information pertaining to version, installdir (for install path) and the download URL. It will then utilize the file to download a remote file from the address http://www.sinmadam.net/.%20/upd/lsas[REMOVED. Next, the worm will save the retrieved file as the C:\ Windows\ system\ NVSVC32.EXE and then run it. It will also keep track of Firefox and Internet Explorer to determine when several banking sites are visited. When the browser accesses one of the worm’s monitored sites, it will hijack the browser and the show a fake Web page of the bank website. The worm then proceeds to obtain and send information to a predetermined remote email address when the user types his/her authentication details into the fake Web page. It will likewise contact the website http:// checkup.dyndns.org to obtain the Internet IP address of the compromised system.