Win32/Spy.Banker [Threat Name] go to Threat

Win32/Spy.Banker.WKO [Threat Variant Name]

Category trojan
Size 3297280 B
Detection created Aug 02, 2011
Detection database version 6344
Aliases Trojan-Banker.Win32.Banker.sits (Kaspersky)
  TrojanSpy:Win32/Banker.ZF (Microsoft)
  W32/Banker.FOBU (Norman)
Short description

The trojan collects sensitive information when the user browses certain web sites. The trojan can send the information to a remote machine. The file is run-time compressed using UPX .


When executed, the trojan copies itself into the following location:

  • %commonappdata%\­Settingss\­Mutinep.exe

The trojan creates the following files:

  • %malwarepath%\­hookdll.dll

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Mutinep.exe" = "%commonappdata%\­Settingss\­Mutinep.exe"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "(Default)" = "%commonappdata%\­Settingss"
    • "DesignerLG.exe" = ""
    • "Hardware.exe" = ""
    • "MSMSGS" = ""C:\­Program Files\­Messenger\­msmsgs.exe" /background"
Information stealing

The trojan collects information used to access certain sites.

The trojan collects various information when the user is accessing the following sites:


The following information is collected:

  • login name
  • login password
  • GRID card data

The trojan displays the following fake dialog boxes:

The goal of the malware is to persuade the user to fill in personal information.

The trojan may display the following message:

The trojan gathers e-mail addresses from all local files.

E-mail addresses are searched for in files with one of the following extensions:

  • .dbx
  • .wab
  • .mbx
  • .mai
  • .eml
  • .tbb
  • .mbox

Also the e-mail addresses are searched for in the following program(s):

  • MSN Messenger

The collected information is stored in the following file:

  • %commonappdata%\­Settingss.txt

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan contains a list of (18) URLs.

It tries to download a file from the addresses.

The file is stored in the following location:

  • %temp%\­%variable%.exe

A string with variable content is used instead of %variable% .

The file is then executed. The HTTP protocol is used.

The trojan hooks the following Windows APIs:

  • OpenProcess (kernel32.dll)
  • TerminateProcess (kernel32.dll)

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Settingss]

Please enable Javascript to ensure correct displaying of this content and refresh this page.