Win32/Spy.Banker [Threat Name] go to Threat

Win32/Spy.Banker.WBU [Threat Variant Name]

Category trojan
Size 53752 B
Detection created Mar 30, 2011
Detection database version 6001
Aliases Trojan.Win32.Menti.muah (Kaspersky)
  PWS:Win32/Banker.O (Microsoft)
Short description

The trojan collects sensitive information when the user browses certain web sites. The trojan can send the information to a remote machine.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %system%\­appconf32.exe (53752 B)
  • %appdata%\­appconf32.exe (53752 B)

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Userinit" = %malwarefilepath%

This causes the trojan to be executed on every system start.

Information stealing

The trojan collects information used to access certain sites.


The following information is collected:

  • a list of recently visited URLs
  • cookies

The trojan collects information related to the following applications:

  • e-Safekey
  • Java KeyStore

The following keywords are monitored:

  • microsoft
  • careercast
  • pensam
  • 53.com

The trojan is able to log keystrokes.


The collected information is stored in the following files:

  • %appdata%\­%variable%
  • %system%\­%variable%
  • %appdata%\­xmldm\­%variable%
  • %system%\­xmldm\­%variable%

A string with variable content is used instead of %variable% .


The trojan attempts to send gathered information to a remote machine.

Other information

The trojan creates and runs a new thread with its own program code in all running processes.


The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • K7Sysmon.exe

The trojan hooks the following Windows APIs:

  • CreateFileW (kernel32.dll)
  • InternetConnectA (wininet.dll)
  • InternetOpenW (wininet.dll)
  • InternetOpenA (wininet.dll)
  • InternetCrackUrlA (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • NtClose (ntdll.dll)
  • CreateProcessW (kernel32.dll)
  • ExitProcess (kernel32.dll)

The trojan may create the following folders:

  • %system%\­xmldm\­
  • %system%\­UAs\­
  • %system%\­kock\­
  • %appdata%\­xmldm\­
  • %appdata%\­UAs\­
  • %appdata%\­kock\­

The trojan may create the following files:

  • %system%\­blck2.wav
  • %system%\­blckdom.res
  • %system%\­loaupdt.jpg
  • %system%\­proxy.txt
  • %system%\­serial.dbg
  • %system%\­srvblck2.tmp
  • %system%\­urhtps.dat
  • %appdata%\­blck2.wav
  • %appdata%\­blckdom.res
  • %appdata%\­loaupdt.jpg
  • %appdata%\­proxy.txt
  • %appdata%\­serial.dbg
  • %appdata%\­srvblck2.tmp
  • %appdata%\­urhtps.dat

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "ActivateProxy" = "%record1%"
    • "date" = "%record2%"
    • "del" = "%record3%"
    • "delete" = "%record4%"
    • "FILE" = "%record5%"
    • "hist" = "%record6%"
    • "ins" = "%record7%"
    • "nerproxy" = "%record8%"
    • "net" = "%record9%"
    • "OLD" = "%record10%"
    • "PATH" = "%record11%"
    • "prd" = "%record12%"
    • "prh" ="%record13%"
    • "proxy" = "%record14%"
    • "TASK" = "%record15%"
    • "time" = "%record16%"
    • "tst" = "%record17%"
    • "URL" = "%record18%"
    • "vendor" = "%record19%"
    • "ver" = "%record20%"
    • "VERS" = "%record21%"
    • "w8" = "%record22%"
    • "WithProxy" = "%record23%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­prh]
    • "prh" = "%record24%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­MAO Settings]
    • "AddonLoadTimeThreshold" = "%record25%"
    • "SuppressPerfBarUntil" = "%record26%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "NoProtectedModeBanner"=1

A string with variable content is used instead of %record1-26% .


The trojan may delete the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Ext\­Settings\­%variable%]

The trojan may execute the following commands:

  • %system%\­TSTheme.exe

The trojan can download and execute a file from the Internet.


The trojan contains a list of (7) URLs. The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.