Win32/Spy.Banker [Threat Name] go to Threat

Win32/Spy.Banker.WQO [Threat Variant Name]

Category trojan
Size 429056 B
Detection created Sep 21, 2011
Detection database version 6482
Aliases Trojan-Banker.Win32.Banker.aec (Kaspersky)
  PWS-Banker!h2c (McAfee)
  PSW.Banker6.KMJ (AVG)
Short description

The trojan collects sensitive information when the user browses certain web sites. The trojan can send the information to a remote machine. The file is run-time compressed using UPX .


The trojan does not create any copies of itself.

In order to be executed on every system start, the modifies the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%malwarefilename" = "%malwarepath%"
Information stealing

The trojan collects information used to access certain sites.

The trojan collects various information when the user is accessing the following sites:


The following information is collected:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • volume serial number
  • list of disk devices and their type
  • computer name
  • user name
  • network adapter information

The trojan displays the following fake dialog boxes:

The goal of the malware is to persuade the user to fill in personal information.

The collected information is stored in the following file:

  • C:\­mail.log

The trojan attempts to send gathered information to a remote machine.

The trojan contains an URL address. The HTTP protocol is used.

Other information

The trojan may display the following message:

The trojan may create the text file:

  • C:\­Windows\­System32\­inf.ini

Please enable Javascript to ensure correct displaying of this content and refresh this page.