Win32/Spy.Banker [Threat Name] go to Threat

Win32/Spy.Banker.QEP [Threat Variant Name]

Category trojan
Size 6560566 B
Detection created Jan 18, 2009
Signature database version 3775
Aliases TrojanSpy:Win32/Bancos.DI (Microsoft)
  Infostealer.Bancos (Symantec)
  TR/Autorun.FR (Avira)
Short description

Win32/Spy.Banker.QEP is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine. The file is run-time compressed using UPX .

Installation

When executed, the trojan copies itself into the following location:

  • %localappdata%\­ctfmow.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "(Default)" = "%localappdata%\­ctfmow.exe"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­EnganarAVG]
  • [HKEY_CURRENT_USER\­Virusinicializar]

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "EnableBalloonTips" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "EnableLUA" = 0
  • [HKEY_CURRENT_USER\­Software\­Sysinternals\­PsKill]
    • "EulaAccepted" = 1
  • [HKEY_CURRENT_USER\­Software\­Sysinternals\­PsExec]
    • "EulaAccepted" = 1

The trojan creates the following files:

  • C:\­windows\­Key_RevoltadoNova

The trojan may create the following files:

  • C:\­Morre.exe (187184 B)
  • C:\­System.exe (303616 B)
  • C:\­Permissao.exe (234536 B)
  • C:\­registros.reg (8944 B)
  • C:\­setreg.cmd (527 B)
Information stealing

Win32/Spy.Banker.QEP is a trojan that steals sensitive information.


The trojan collects information used to access certain sites.


The trojan affects the behavior of the following applications:

  • Internet Explorer
  • Mozilla Firefox
  • Google Chrome

The virus searches for windows with the title containing any of the following strings:

  • Banco Itaú - Feito Para Você - Google Chrome
  • Banco Itaú - Feito Para Você - Microsoft Internet Explorer
  • Banco Itaú - Feito Para Você - Mozilla Firefox
  • Banco Itaú - Feito Para Você - Windows Internet Explorer
  • Bradesco - Google Chrome
  • Bradesco - Microsoft Internet Explorer
  • Bradesco - Mozilla Firefox
  • Bradesco - Windows Internet Explorer
  • Bradesco Pessoa Jurídica - Microsoft Internet Explorer
  • Bradesco Pessoa Jurídica - Windows Internet Explorer
  • Credicard - Google Chrome
  • Credicard - Mozilla Firefox
  • Entrar - Google Chrome
  • Entrar - Microsoft Internet Explorer
  • Entrar - Mozilla Firefox
  • Entrar - PayPal - Google Chrome
  • Entrar - PayPal - Microsoft Internet Explorer
  • Entrar - PayPal - Mozilla Firefox
  • Entrar - PayPal - Windows Internet Explorer
  • Entrar - Windows Internet Explorer
  • HSBC Bank Brasil S.A. - Banco Múltiplo - Google Chrome
  • HSBC Bank Brasil S.A. - Banco Múltiplo - Mozilla Firefox
  • Hotmail
  • SICREDI Total Internet - Windows Internet Explorer
  • Sicredi Total Internet - Microsoft Internet Explorer
  • Sicredi Total Internet - Windows Internet Explorer
  • Uniclass - Itaú Uniclass - Google Chrome
  • Uniclass - Itaú Uniclass - Internet Explorer
  • Uniclass - Itaú Uniclass - Microsoft Internet Explorer
  • Uniclass - Itaú Uniclass - Mozilla Firefox
  • Uniclass - Itaú Uniclass - Windows Internet Explorer
  • [bb.com.br] - Mozilla Firefox
    • https://www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim&perfil=1 - Google Chrome
    • https://www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim&perfil=1 - Microsoft Internet Explorer
    • https://www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim&perfil=1 - Windows Internet Explorer
    • internetbankingcaixamicrosoftinternetexplorer
    • internetbankingcaixawindowsinternetexplorer

The trojan collects various information when Internet Explorer is being used to access the following sites:

  • banrisul.com.br/brb/
  • facebook.com/
  • http://www.itau.com.br/index.htm
  • http://www.santanderempresarial.com.br/
  • https://accounts.google.com/ServiceLogin
  • https://www.credicard.com.br/BRGCB/JSO/signon/DisplayUsernameSignon.do
  • https://www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim&perfil=1
  • https://wwws3.hsbc.com.br/ITE/common/html/hsbc-online.shtml
  • itau.com.br/itaucard/
  • serasaexperian.com.br
  • sicreditotal.com.br

The trojan displays the following fake dialog boxes:

The goal of the malware is to persuade the user to fill in personal information.


The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • computer name
  • volume serial number
  • network adapter information

The collected information is stored in the following file:

  • c:\­%computername%.txt

The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (7) addresses. The HTTP, FTP protocol is used.

Other information

The trojan executes the following commands:

  • cmd /k del "C:\­Arquivos de programas\­GbPlugin\­." /q
  • cmd /k rd "%ProgramFiles%\­GbPlugin"
  • cmd /k del "C:\­Program Files (x86)\­GbPlugin\­." /q
  • cmd /k rd "C:\­Program Files (x86)\­GbPlugin"

The trojan may execute the following commands:

  • net.exe stop sharedaccess
  • netsh advfirewall set currentprofile state off
  • cmd /k regedit /s c:\­registros.reg
  • cmd /k taskkill -f /im GbpSv.exe /im explorer.exe
  • cmd /k c:\­Permissao.exe -i -s c:\­setreg.cmd
  • cmd /k c:\­Morre.exe -t winlogon.exe

The trojan may delete the following files:

  • C:\­Arquivos de programas\­GbPlugin\­gbiehcef.dll
  • C:\­Program Files (x86)\­GbPlugin\­gbiehcef.dll
  • C:\­Arquivos de programas\­GbPlugin\­gbieh.dll
  • C:\­Program Files (x86)\­GbPlugin\­gbieh.dll
  • C:\­Arquivos de programas\­GbPlugin\­gbiehabn.dll
  • C:\­Program Files (x86)\­GbPlugin\­gbiehabn.dll
  • C:\­Arquivos de programas\­GbPlugin\­gbiehuni.dll
  • C:\­Program Files (x86)\­GbPlugin\­gbiehuni.dll
  • C:\­Arquivos de programas\­Scpad\­scpsssh2.dll
  • C:\­Program Files (x86)\­Scpad\­scpsssh2.dll
  • C:\­Arquivos de programas\­GbPlugin\­gbiehscd.dll
  • C:\­Program Files (x86)\­GbPlugin\­gbiehscd.dll
  • C:\­registros.reg
  • C:\­setreg.cmd
  • C:\­Morre.exe
  • C:\­Permissao.exe
  • C:\­System.exe

The trojan may delete the following Registry entries:

  • [HKEY_CLASSES_ROOT\­CLSID\­{2E3C3651-B19C-4DD9-A979-901EC3E930AF}]
  • [HKEY_CLASSES_ROOT\­CLSID\­{3F888695-9B41-4B29-9F44-6B560E464A16}]
  • [HKEY_CLASSES_ROOT\­CLSID\­{AF45043F-819C-47CC-9B37-94DBE50A6E63}]
  • [HKEY_CLASSES_ROOT\­CLSID\­{C41A1C0E-EA6C-11D4-B1B8-444553540000}]
  • [HKEY_CLASSES_ROOT\­CLSID\­{C41A1C0E-EA6C-11D4-B1B8-444553540003}]
  • [HKEY_CLASSES_ROOT\­CLSID\­{C41A1C0E-EA6C-11D4-B1B8-444553540007}]
  • [HKEY_CLASSES_ROOT\­CLSID\­{C41A1C0E-EA6C-11D4-B1B8-444553540008}]
  • [HKEY_CLASSES_ROOT\­CLSID\­{C41A1C0E-EA6C-11D4-B1B8-444553540011}]
  • [HKEY_CLASSES_ROOT\­CLSID\­{DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931}]
  • [HKEY_CLASSES_ROOT\­CLSID\­{E37CB5F0-51F5-4395-A808-5FA49E399003}]
  • [HKEY_CLASSES_ROOT\­CLSID\­{E37CB5F0-51F5-4395-A808-5FA49E399007}]
  • [HKEY_CLASSES_ROOT\­CLSID\­{E37CB5F0-51F5-4395-A808-5FA49E399008}]
  • [HKEY_CLASSES_ROOT\­CLSID\­{E37CB5F0-51F5-4395-A808-5FA49E399011}]
  • [HKEY_CLASSES_ROOT\­CLSID\­{E37CB5F0-51F5-4395-A808-5FA49E399F83}]
  • [HKEY_CLASSES_ROOT\­Gbieh.GbIehObj.1]
  • [HKEY_CLASSES_ROOT\­Gbieh.GbIehObj]
  • [HKEY_CLASSES_ROOT\­Gbieh.GbPluginObj.1]
  • [HKEY_CLASSES_ROOT\­Gbieh.GbPluginObj]
  • [HKEY_CLASSES_ROOT\­GbpDist.GbpDistObj.1]
  • [HKEY_CLASSES_ROOT\­GbpDist.GbpDistObj]
  • [HKEY_CLASSES_ROOT\­Interface\­{7827CCC3-0DEB-4CFB-911C-AA777C8826EA}]
  • [HKEY_CLASSES_ROOT\­Interface\­{C41A1C0D-EA6C-11D4-B1B8-444553540000}]
  • [HKEY_CLASSES_ROOT\­TypeLib\­{04978612-A774-406D-AF1B-F44E2838D72A}]
  • [HKEY_CLASSES_ROOT\­TypeLib\­{6B71634C-5867-4D85-BFFE-DF1C322F8B96}]
  • [HKEY_CLASSES_ROOT\­TypeLib\­{9CA261C7-D518-4987-B434-10A1B243C8B8}]
  • [HKEY_CLASSES_ROOT\­TypeLib\­{AD764BE6-87A7-46A1-8C55-A712D079E749}]
  • [HKEY_CLASSES_ROOT\­TypeLib\­{C41A1C01-EA6C-11D4-B1B8-444553540000}]
  • [HKEY_CLASSES_ROOT\­TypeLib\­{C41A1C01-EA6C-11D4-B1B8-444553540003}]
  • [HKEY_CLASSES_ROOT\­TypeLib\­{C41A1C01-EA6C-11D4-B1B8-444553540007}]
  • [HKEY_CLASSES_ROOT\­TypeLib\­{C41A1C01-EA6C-11D4-B1B8-444553540008}]
  • [HKEY_CLASSES_ROOT\­TypeLib\­{C41A1C01-EA6C-11D4-B1B8-444553540011}]
  • [HKEY_CURRENT_CONFIG\­System\­CurrentControlSet\­Enum\­ROOT\­LEGACY_GBPSV]
  • [HKEY_CURRENT_USER\­Software\­GbPlugin]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­ShellNoRoam\­MUICache]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{2E3C3651-B19C-4DD9-A979-901EC3E930AF}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{3F888695-9B41-4B29-9F44-6B560E464A16}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{A3717295-941D-416F-9384-ED1736729F1C}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{AF45043F-819C-47CC-9B37-94DBE50A6E63}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{C41A1C0E-EA6C-11D4-B1B8-444553540000}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{C41A1C0E-EA6C-11D4-B1B8-444553540003}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{C41A1C0E-EA6C-11D4-B1B8-444553540007}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{C41A1C0E-EA6C-11D4-B1B8-444553540008}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{C41A1C0E-EA6C-11D4-B1B8-444553540011}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{E37CB5F0-51F5-4395-A808-5FA49E399003}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{E37CB5F0-51F5-4395-A808-5FA49E399007}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{E37CB5F0-51F5-4395-A808-5FA49E399008}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{E37CB5F0-51F5-4395-A808-5FA49E399011}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{E37CB5F0-51F5-4395-A808-5FA49E399F83}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Gbieh.GbIehObj.1]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Gbieh.GbIehObj]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Gbieh.GbPluginObj.1]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Gbieh.GbPluginObj]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­GbpDist.GbpDistObj.1]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­GbpDist.GbpDistObj]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{7827CCC3-0DEB-4CFB-911C-AA777C8826EA}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{C41A1C0D-EA6C-11D4-B1B8-444553540000}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­TypeLib\­{04978612-A774-406D-AF1B-F44E2838D72A}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­TypeLib\­{6B71634C-5867-4D85-BFFE-DF1C322F8B96}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­TypeLib\­{9CA261C7-D518-4987-B434-10A1B243C8B8}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­TypeLib\­{AD764BE6-87A7-46A1-8C55-A712D079E749}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­TypeLib\­{C41A1C01-EA6C-11D4-B1B8-444553540000}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­TypeLib\­{C41A1C01-EA6C-11D4-B1B8-444553540003}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­TypeLib\­{C41A1C01-EA6C-11D4-B1B8-444553540007}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­TypeLib\­{C41A1C01-EA6C-11D4-B1B8-444553540008}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­TypeLib\­{C41A1C01-EA6C-11D4-B1B8-444553540011}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Notify\­GbPluginAbn]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Notify\­GbPluginBb]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Notify\­GbPluginCef]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Notify\­GbPluginScd]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Notify\­GbPluginUni]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Notify\­GbPluginBb]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Notify\­GbPluginCef]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Browser Helper Objects\­{C41A1C0E-EA6C-11D4-B1B8-444553540000}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­ShellExecuteHooks\­{E37CB5F0-51F5-4395-A808-5FA49E399F83}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­ModuleUsage]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­SharedDlls\­C:\­WINDOWS\­system32\­scpLIB.dll]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­SharedDlls\­C:\­WINDOWS\­system32\­scpMIB.dll]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­SharedDlls\­C:\­WINDOWS\­system32\­scpsssh2.dll]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Shell Extensions\­Approved\­{E37CB5F0-51F5-4395-A808-5FA49E399F83}]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Enum\­Root\­LEGACY_GBPKM]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Enum\­Root\­LEGACY_GBPSV]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Hardware Profiles\­0001\­System\­CurrentControlSet\­Enum\­ROOT\­LEGACY_GBPSV]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Hardware Profiles\­Current\­System\­CurrentControlSet\­Enum\­ROOT\­LEGACY_GBPSV]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­GbpKm]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­GbpSv]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet002\­Enum\­Root\­LEGACY_GBPSV]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet002\­Hardware Profiles\­0001\­System\­CurrentControlSet\­Enum\­ROOT\­LEGACY_GBPSV]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet002\­Services\­GbpKm]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet002\­Services\­GbpSv]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_GBPKM]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_GBPSV]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Hardware Profiles\­0001\­System\­CurrentControlSet\­Enum\­ROOT\­LEGACY_GBPSV]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Hardware Profiles\­Current\­System\­CurrentControlSet\­Enum\­ROOT\­LEGACY_GBPSV]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­GbpKm]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­GbpSv]
  • [HKEY_USERS\­S-1-5-21-854245398-1708537768-2147221027-1003\­Software\­GbPlugin]

The trojan may perform operating system restart.

Please enable Javascript to ensure correct displaying of this content and refresh this page.