Win32/Spy.BifiBank [Threat Name] go to Threat

Win32/Spy.BifiBank.AB [Threat Variant Name]

Category trojan
Size 39936 B
Detection created Dec 14, 2009
Detection database version 4687
Aliases Trojan-Banker.Win32.BifiBank.c (Kaspersky)
  TrojanSpy:Win32/Mafod!rts (Microsoft)
  Trojan.PWS.Banker.36488 (Dr.Web)
Short description

Win32/Spy.BifiBank.AB is a trojan that steals passwords and other sensitive information. The trojan can send the information to a remote machine.

Installation

When executed the trojan drops in folder %system% the following file:

  • %variable%.dll (28160 B)

A string with variable content is used instead of %variable% .


The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows\­su]
    • "(Default)" = "%filepath%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "WinBinaryId" = %hex_value%
    • "SystemProcessHandleQuota" = %value%
    • "AppInit_DLLs" = "%variable%.dll"

This way the trojan ensures that the libraries with the following names will be injected into all running processes:

  • %system%\­%variable%.dll
Information stealing

Win32/Spy.BifiBank.AB is a trojan that steals passwords and other sensitive information.


The trojan collects sensitive information when the user browses certain web sites.


The trojan can send the information to a remote machine.


The trojan contains a list of (1) IP addresses.

Other information

The trojan may create copies of the following files (source, destination):

  • %system%\­%variable%.dll, %system%\­pcie32.sys

The trojan may create the following files:

  • %system%\­%random%.bat

A string with variable content is used instead of %random% .


The trojan tries to download a file from the Internet.


The file is stored in the following location:

  • %system%\­0.exe

The file is then executed.

Please enable Javascript to ensure correct displaying of this content and refresh this page.