Win32/AutoRun.Spy.Banker [Threat Name] go to Threat
Win32/AutoRun.Spy.Banker.G [Threat Variant Name]
|Detection created||Oct 25, 2010|
|Signature database version||5562|
Win32/AutoRun.Spy.Banker.G is a worm that spreads via removable media. The worm serves as a backdoor. It can be controlled remotely. The worm collects information used to access certain sites. The file is run-time compressed using UPX .
When executed, the worm copies itself in some of the the following locations:
This copy of the worm is then executed.
After the installation is complete, the worm deletes the original executable file.
The worm may set the following Registry entries:
- "Description" = "The service provides COM APIs for independent software vendors to register and record the state of their products to the Security Center service."
- "Display Name" = "Windows Security Center Service"
- "ErrorControl" = 0
- "Type" = 16
- "Start" = 2
- "ImagePath" = "%system%\svrwsc.exe"
- "ObjectName" = "LocalSystem"
- "0" = "Root\LEGACY_SVRWSC\0000"
- "Count" = 1
- "NextInstance" = 1
- "SvrWsc" = "%appdata%\svrwsc.exe"
- "X1" = "%random1%"
- "X2" = 0
- "X1" = 0
This causes the worm to be executed on every system start.
A string with variable content is used instead of %random1% .
The worm looks for processes with any of the following strings in their name:
The worm creates and runs a new thread with its own code within these running processes.
Spreading on removable media
The worm copies itself to the following location:
The worm creates the following file:
The AUTORUN.INF file contains the path to the malware executable.
Thus, the worm ensures it is started each time infected media is inserted into the computer.
A string with variable content is used instead of %random2-3% .
The worm collects the following information:
- Mozilla Firefox account information
- digital certificates
- login user names for certain applications/services
- login passwords for certain applications/services
The collected information is stored in the following file:
The worm attempts to send gathered information to a remote machine.
The worm serves as a backdoor. It can be controlled remotely.
The worm acquires data and commands from a remote computer or the Internet.
The worm contains a list of (2) URLs. The HTTP protocol is used.
It may perform the following actions:
- download files from a remote computer and/or the Internet
- run executable files
- send files to a remote computer
- set up a proxy server
- delete cookies
- delete folders
- delete files
- monitor network traffic
The worm hooks the following Windows APIs:
- LdrLoadDll (ntdll.dll)
- ZwResumeThread (ntdll.dll)
- PFXImportCertStore (crypt32.dll)
- InitializeSecurityContextA (secur32.dll)
- InitializeSecurityContextW (secur32.dll)
- SealMessage (secur32.dll)
- UnsealMessage (secur32.dll)
- getaddrinfo (ws2_32.dll)
- connect (ws2_32.dll)
- gethostbyname (ws2_32.dll)
- send (ws2_32.dll)
- WSASend (ws2_32.dll)
- recv (ws2_32.dll)
- WSARecv (ws2_32.dll)
- closesocket (ws2_32.dll)