Win32/AutoRun.Spy.Banker [Threat Name] go to Threat

Win32/AutoRun.Spy.Banker.M [Threat Variant Name]

Category worm
Size 229888 B
Detection created Nov 13, 2011
Detection database version 6626
Aliases PWS-Zbot.gen.matrojan (McAfee)
  Worm:Win32/Cridex.B (Microsoft)
  W32.SillyDC (Symantec)
Short description

Win32/AutoRun.Spy.Banker.M is a worm that steals passwords and other sensitive information. The worm attempts to send gathered information to a remote machine.

Installation

When executed, the worm copies itself into the following location:

  • %appdata%\­KB%variable%.exe (229888 B)

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "KB%variable%.exe" = "%appdata%\­KB%variable%.exe"

The worm creates the following file:

  • %temp%\­POS%variable1%.tmp.bat

A string with variable content is used instead of %variable1-2% .


The file is then executed.


After the installation is complete, the worm deletes the original executable file.

Spreading

The worm may create copies of itself on removable drives.

Information stealing

The worm collects the following information:

  • list of running processes
  • computer name
  • volume serial number
  • digital certificates
  • login user names for certain applications/services
  • login passwords for certain applications/services

The collected information is stored in the following file:

  • %localappdata%\­%variable%\­%variable%.dat

A string with variable content is used instead of %variable% .


The worm attempts to send gathered information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of (4) URLs. The HTTPS protocol is used.


It can execute the following operations:

  • send files to a remote computer
  • retrieve information from protected storage and send it to the remote computer
  • send the list of running processes to a remote computer
  • download files from a remote computer and/or the Internet
  • run executable files
  • delete files

The worm may create and run a new thread with its own program code within any running process.


The worm interferes with the operation of some security applications to avoid detection.


The worm may install the following system drivers (path, name):

  • %system%\­drivers\­%variable%.sys

The worm contains both 32-bit and 64-bit program components.


The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%variable%\­]
    • "DisplayName" = ""
    • "Group" = "Boot Bus Extender"
    • "ImagePath" = "%system%\­drivers\­%variable%.sys"
    • "ErrorControl" = 0
    • "Start" = 0
    • "Tag" = 1
    • "Type" = 1

A string with variable content is used instead of %variable% .


The worm hooks the following Windows APIs:

  • LdrLoadDll (ntdll.dll)
  • NtResumeThread (ntdll.dll)
  • closesocket (ws2_32.dll)
  • connect (ws2_32.dll)
  • getaddrinfo (ws2_32.dll)
  • gethostbyname (ws2_32.dll)
  • recv (ws2_32.dll)
  • select (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • WSASend (ws2_32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.