Win32/Spy.Banker [Threat Name] go to Threat

Win32/Spy.Banker.UEP [Threat Variant Name]

Category trojan
Size 47616 B
Detection created Jun 18, 2010
Detection database version 5208
Aliases Trojan-Banker.Win32.MultiBanker.uf (Kaspersky)
  W32/Banker2.MZ (F-Prot)
  PSW.Banker5.BDSQ (AVG)
Short description

Win32/Spy.Banker.UEP is a trojan that steals passwords and other sensitive information. The trojan can send the information to a remote machine. The trojan contains a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %path%\­appconf32.exe

The %path% is one of the following strings:

  • %system%
  • %windir%

The trojan creates the following folders:

  • %path%\­cock\­
  • %path%\­xmldm\­

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%existingstring%,%path%\­appconf32.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Userinit" = "%path%\­appconf32.exe"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "vendor" = "Old"
    • "prd" = "http://yozqnewnacion.com"
    • "w8" = %variable%
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­prh]
    • "prh" = "http://yozqnewnacion.com"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­tst]
    • "tst" = "http://yozqnewnacion.com"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "NoProtectedModeBanner" = 1
  • [HKEY_LOCAL_MACHINE\­software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Browser Helper Objects\­{F22C37FD-2BCB-40b6-A12E-77DDA1FBDD88}]
    • "(Default)" = "Adobe PDF Reader Link Helper"
    • "NoExplorer" = 1
  • [HKEY_CLASSES_ROOT\­linkrdr.AIEbho]
    • "(Default)" = "Adobe PDF Reader Link Helper"
  • [HKEY_CLASSES_ROOT\­linkrdr.AIEbho.1]
    • "(Default)" = "Adobe PDF Reader Link Helper"
  • [HKEY_CLASSES_ROOT\­linkrdr.AIEbho\­CLSID]
    • "(Default)" = "{F22C37FD-2BCB-40b6-A12E-77DDA1FBDD88}"
  • [HKEY_CLASSES_ROOT\­linkrdr.AIEbho.1\­CLSID]
    • "(Default)" = "{F22C37FD-2BCB-40b6-A12E-77DDA1FBDD88}"
  • [HKEY_CLASSES_ROOT\­linkrdr.AIEbho\­CurVer]
    • "(Default)" = "linkrdr.AIEbho.1"
  • [HKEY_CLASSES_ROOT\­CLSID\­{F22C37FD-2BCB-40b6-A12E-77DDA1FBDD88}]
    • "(Default)" = "Adobe PDF Reader Link Helper"
    • "AppID" = "{30FCF052-3649-4543-B924-BA7AB9FACC8A}"
  • [HKEY_CLASSES_ROOT\­CLSID\­{F22C37FD-2BCB-40b6-A12E-77DDA1FBDD88}\­InprocServer32]
    • "(Default)" = %path%
    • "ThreadingModel" = "Apartment"
  • [HKEY_CLASSES_ROOT\­CLSID\­{F22C37FD-2BCB-40b6-A12E-77DDA1FBDD88}\­ProgID]
    • "(Default)" = "linkrdr.AIEbho.1"
  • [HKEY_CLASSES_ROOT\­CLSID\­{F22C37FD-2BCB-40b6-A12E-77DDA1FBDD88}\­Programmable]
    • "(Default)" = 2
  • [HKEY_CLASSES_ROOT\­CLSID\­{F22C37FD-2BCB-40b6-A12E-77DDA1FBDD88}\­TypeLib]
    • "(Default)" = "{D662238E-9BC3-4197-A686-116E687962E8}"
  • [HKEY_CLASSES_ROOT\­CLSID\­{F22C37FD-2BCB-40b6-A12E-77DDA1FBDD88}\­VersionIndependentProgID]
    • "(Default)" = "linkrdr.AIEbho"

The trojan creates and runs a new thread with its own program code in all running processes except the following:

  • system
  • smss.exe
  • srss.exe
  • lsass.exe
  • csrss.exe
  • services.exe
  • winlogon.exe
Other information

The trojan searches for the following cookie files:

  • *@abmr[*
  • *@us[*
  • *2o7*
  • *53[*
  • *action.mathtag*
  • *adbrite*
  • *advanta*
  • *advertising*
  • *aib[*
  • *amagerbanken*
  • *andelskassen*
  • *apmebf*
  • *associatedbank*
  • *atdmt*
  • *bancopopular*
  • *banken*
  • *bankofamerica*
  • *bankofoklahoma*
  • *basisbank*
  • *bbandt*
  • *bbt[*
  • *bbvabancomerusa*
  • *beyond*
  • *bmo[*
  • *bnpparibas*
  • *bridgetrack*
  • *burstnet*
  • *capitalone*
  • *careerbuilder*
  • *careercast*
  • *casalemedia*
  • *chase*
  • *citi.*
  • *citibank*
  • *cnb[*
  • *colonialbank*
  • *comerica*
  • *commercebank*
  • *coremetrics*
  • *danskebank*
  • *db[*
  • *diba[*
  • *dice[*
  • *discovercard*
  • *djs*
  • *djs-netbank*
  • *doubleclick*
  • *ebh-bank*
  • *e-finance*
  • *eloqua*
  • *etrade*
  • *fih[*
  • *fioniabank*
  • *firstbankpr*
  • *firstcitizens*
  • *firsthorizon*
  • *forbank*
  • *froes*
  • *fsb.netminers*
  • *handelsbanken*
  • *HB[*
  • *himmerland*
  • *hitbox*
  • *homebanking*
  • *hsbc*
  • *huntington*
  • *hvidbjergbank*
  • *ic-live*
  • *infotechalliance*
  • *ingdirect*
  • *instadia*
  • *interclick*
  • *jobing*
  • *juniper*
  • *key*
  • *langspar*
  • *lillespar*
  • *liveperson*
  • *lokalbanken*
  • *lokalsparekassen*
  • *lollandsbank*
  • *lpk[*
  • *lsb[*
  • *maxbank*
  • *maxbank*
  • *mibank*
  • *middelfartsparekasse*
  • *midspar*
  • *midtfjord*
  • *moensbank*
  • *monster[*
  • *morsbank*
  • *morsoesparekasse*
  • *mufg*
  • *mynycb*
  • *mystreetscape*
  • *nationalcity*
  • *nationalcitycardservicesonline*
  • *nationalirishbank*
  • *navyfcu*
  • *netminers*
  • *net-temps*
  • *northernbank.co*
  • *northerntrust*
  • *nykredit*
  • *pensam*
  • *peoples*
  • *pnc[*
  • *portal*
  • *prod.bec*
  • *quantserve*
  • *rbcbankusa*
  • *rbs[*
  • *regions*
  • *revsci*
  • *riba[*
  • *ringkjoebing-bank*
  • *roiservice*
  • *roskildebank*
  • *ru4*
  • *sallingbank*
  • *sbbank*
  • *schwab*
  • *scorecardresearch*
  • *searchmarketing*
  • *servlet*
  • *sharethis*
  • *sparbank*
  • *sparekassen*
  • *sparekassenfaaborg*
  • *sparekassenthy*
  • *sparfar*
  • *sparhobro*
  • *sparhvetbo*
  • *sparkron*
  • *sparlolland*
  • *sparnebel*
  • *sparnord*
  • *sparoj*
  • *sparostjyl*
  • *sparsalling*
  • *sparskals*
  • *sparthy*
  • *specificclick*
  • *statistik-gallup*
  • *suntrust*
  • *synovus*
  • *totalbanken*
  • *track.adform*
  • *tribalfusion*
  • *usbank*
  • *vestjyskbank*
  • *vinderupbank*
  • *vorbank*
  • *wachovia*
  • *wamu*
  • *washingtonpost*
  • *websteronline*
  • *webtrendslive*
  • *wellsfargo*
  • *www.al-bank*
  • *xiti[*
  • *yahoo*
  • *yieldmanager*
  • *zedo*
  • *zionsbank*

Only following folders are searched:

  • %cookies%
  • %appdata%\­Mozilla\­Firefox\­Profiles

The trojan obtains the name of the source folder from the following Registry record:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Shell Folders]
    • "Cookies" = "%cookies%"

The trojan may create copies of the following files (source, destination):

  • %cookies%\­*.*, %path%\­cock\­*.*
  • %cookies%\­*.*, %path%\­xmldm\­netbanke_%date%_%time%_*.*
  • %appdata%\­Mozilla\­Firefox\­Profiles\­*.*, %path%\­cock\­*.*
  • %appdata%\­Mozilla\­Firefox\­Profiles\­*.*, %path%\­xmldm\­netbanke_%date%_%time%_*.*

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (1) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send files to a remote computer
  • update itself to a newer version
  • remove itself from the infected computer
  • steal information from the Windows clipboard
  • capture screenshots
  • log keystrokes

The trojan collects the following information:

  • cookies
  • passwords
  • Internet Explorer version
  • Mozilla Firefox version
  • Mozilla Firefox account information

The trojan can send the information to a remote machine.


The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • mcvsshld.exe

The trojan may delete the following files:

  • %path%\­cock\­*.*

The trojan alters the behavior of the following processes:

  • bdagent.exe
  • avgtray.exe
  • npfuser.exe
  • AVKTray.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.