Win32/Spy.Banker [Threat Name] go to Threat

Win32/Spy.Banker.WXR [Threat Variant Name]

Category trojan
Size 2534912 B
Detection created Nov 28, 2011
Detection database version 6666
Aliases Trojan-Downloader.Win32.Agent.tlat (Kaspersky)
  TrojanSpy:win32/Banker.YT (Microsoft)
  PSW.Banker6.JJE (AVG)
Short description

The trojan collects information used to access certain sites. The trojan attempts to send gathered information to a remote machine.


The trojan does not create any copies of itself.

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "GNV" = "%malwarefilepath%"
Information stealing

The trojan collects various information when iexplore.exe is being used to access the following sites:


The following information is collected:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • GRID card data

The trojan collects various information when Windows Live Messenger is being used.

The trojan displays the following fake dialog boxes:

The goal of the malware is to persuade the user to fill in personal information.

The trojan attempts to send gathered information to a remote machine.

The trojan contains a list of (3) URLs. The HTTP protocol is used.

Other information

The trojan hides windows of running processes which contain any of the following strings in their title:

  • Windows Live Messenger

The following programs are terminated:

  • iexplore.exe

It can execute the following operations:

  • modify network traffic
  • monitor network traffic
  • redirect network traffic
  • send gathered information

The trojan tries to download several files from the Internet.

Please enable Javascript to ensure correct displaying of this content and refresh this page.