F-Secure
Tools
Summary
A dropper Trojan that contains malicious or potentially unwanted software, which it 'drops' and installs on the affected system.Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Additional Details
Binanen.A creates a dummy iexplore.exe process, and runs its malicious activity by silently dropping the following file:
It also copies itself to:
And, creates the following registry keys:
Payload
Once the malware is executed, the dropped file will try to disguise itself under a true process name and will be injected into a hidden dummy process. Then, it will execute certain command lines such as ipconfig, which can be used to retrieve IP address, subnet mask, and default gateway.
Once the DLL file has been injected and running under the hidden Internet Explorer process, the attacker will be able to control the infected machine and retrieve information such as list of processes and hard disk information from the affected machine. The attacker could also obtain data such as username, system date and time, and how long the machine has been up and running.
- C:\windows\system32\winimet.dll
It also copies itself to:
- C:\windows\system32\binanen.exe
And, creates the following registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{26D37492-FEC2-C272-9882-6D97A521F122}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{761CC820-6EC0-5921-1400-8442C1E2FB90}
Payload
Once the malware is executed, the dropped file will try to disguise itself under a true process name and will be injected into a hidden dummy process. Then, it will execute certain command lines such as ipconfig, which can be used to retrieve IP address, subnet mask, and default gateway.
Once the DLL file has been injected and running under the hidden Internet Explorer process, the attacker will be able to control the infected machine and retrieve information such as list of processes and hard disk information from the affected machine. The attacker could also obtain data such as username, system date and time, and how long the machine has been up and running.