Win32/Spy.Banker [Threat Name] go to Threat

Win32/Spy.Banker.VIB [Threat Variant Name]

Category trojan
Size 159744 B
Detection created Feb 17, 2011
Detection database version 5884
Aliases Trojan-Dropper.Win32.Agent.eiap (Kaspersky)
Short description

The trojan collects sensitive information when the user browses certain web sites. The trojan can send the information to a remote machine.

Installation

When executed, the trojan copies itself into the following location:

  • %windir%\­svchost.exe

In order to be executed on every system start, the sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "wsock32" = "%windir%\­svchost.exe"

The trojan creates and runs a new thread with its own program code within the following processes:

  • firefox.exe
  • iexplore.exe
Information stealing

The trojan collects various information when firefox.exe is being used to access the following sites:

  • www.stardoll.com
  • 87.245.192.46
  • videochat.ru
  • comet.lovesupport.ru
  • mlgame.ru
  • neverfate.ru
  • odnoklassniki.ua
  • www.odnoklassniki.ua
  • odnoklassniki.ru
  • bar-navig.yandex.ru
  • www.facebook.com
  • s.sputnik.mail.ru
  • www.odnoklassniki.ru
  • vkontakte.ru
  • mail.google.com
  • safebrowsing.clients.google.com
  • node1.gorodigr.ru

The trojan collects various information when iexplore.exe is being used to access the following sites:

  • www.stardoll.com
  • 87.245.192.46
  • videochat.ru
  • comet.lovesupport.ru
  • mlgame.ru
  • neverfate.ru
  • odnoklassniki.ua
  • www.odnoklassniki.ua
  • odnoklassniki.ru
  • bar-navig.yandex.ru
  • www.facebook.com
  • s.sputnik.mail.ru
  • www.odnoklassniki.ru
  • vkontakte.ru
  • mail.google.com
  • safebrowsing.clients.google.com
  • node1.gorodigr.ru
  • ibc.bpf.ru
  • fbid.ru
  • www.fbid.ru
  • ibc.svib.ru
  • ibc.nordea.ru
  • web.odinbank.ru
  • bc.kbmkb.ru
  • ibc.orgbank.com
  • ibc.kmbank.com
  • bc1.kedrbank.com
  • ibank.investbank.ru
  • ibc.gib.su
  • ibc.vpb.su
  • oka.barclays.ru
  • bankline.ru
  • www.bankline.ru

It can execute the following operations:

  • capture screenshots
  • log keystrokes

The trojan attempts to send gathered information to a remote machine.


The trojan contains an URL address. The HTTP protocol is used.

Other information

The trojan can download and execute a file from the Internet.


The file is stored in the following location:

  • %temp%\­run.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.