Win32/AutoRun.Spy.Banker [Threat Name] go to Threat

Win32/AutoRun.Spy.Banker.G [Threat Variant Name]

Category worm
Size 50688 B
Aliases Trojan-Spy.Win32.Carberp.amo (Kaspersky)
  Worm:Win32/Autorun.ABO (Microsoft)
  Trojan.Horse (Symantec)
Short description

Win32/AutoRun.Spy.Banker.G is a worm that spreads via removable media. The worm serves as a backdoor. It can be controlled remotely. The worm collects information used to access certain sites. The file is run-time compressed using UPX .


When executed, the worm copies itself in some of the the following locations:

  • %system%\­svrwsc.exe
  • %appdata%\­svrwsc.exe

This copy of the worm is then executed.

After the installation is complete, the worm deletes the original executable file.

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SvrWsc]
    • "Description" = "The service provides COM APIs for independent software vendors to register and record the state of their products to the Security Center service."
    • "Display Name" = "Windows Security Center Service"
    • "ErrorControl" = 0
    • "Type" = 16
    • "Start" = 2
    • "ImagePath" = "%system%\­svrwsc.exe"
    • "ObjectName" = "LocalSystem"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SvrWsc\­Security]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SvrWsc\­Enum]
    • "0" = "Root\­LEGACY_SVRWSC\­0000"
    • "Count" = 1
    • "NextInstance" = 1
  • [HKEY_CRRENT_USERU\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SvrWsc" = "%appdata%\­svrwsc.exe"
    • "X1" = "%random1%"
    • "X2" = 0
    • "X1" = 0

This causes the worm to be executed on every system start.

A string with variable content is used instead of %random1% .

The worm looks for processes with any of the following strings in their name:

  • services.exe
  • winlogon.exe
  • userinit.exe
  • svchost.exe
  • explorer.exe
  • outlook.exe
  • msimn.exe
  • iexplore.exe
  • firefox.exe

The worm creates and runs a new thread with its own code within these running processes.

Spreading on removable media

The worm copies itself to the following location:

  • %removabledrive%\­%random2%\­%random3%

The worm creates the following file:

  • %removabledrive%\­autorun.inf

The AUTORUN.INF file contains the path to the malware executable.

Thus, the worm ensures it is started each time infected media is inserted into the computer.

A string with variable content is used instead of %random2-3% .

Information stealing

The worm collects the following information:

  • cookies
  • Mozilla Firefox account information
  • digital certificates
  • login user names for certain applications/services
  • login passwords for certain applications/services

The collected information is stored in the following file:

  • %commonappdata%\­Microsoft\­MSOFFICE\­TEMP\­doc~1.dat

The worm attempts to send gathered information to a remote machine.

Other information

The worm serves as a backdoor. It can be controlled remotely.

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of (2) URLs. The HTTP protocol is used.

It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send files to a remote computer
  • set up a proxy server
  • delete cookies
  • delete folders
  • delete files
  • monitor network traffic

The worm hooks the following Windows APIs:

  • LdrLoadDll (ntdll.dll)
  • ZwResumeThread (ntdll.dll)
  • PFXImportCertStore (crypt32.dll)
  • InitializeSecurityContextA (secur32.dll)
  • InitializeSecurityContextW (secur32.dll)
  • SealMessage (secur32.dll)
  • UnsealMessage (secur32.dll)
  • getaddrinfo (ws2_32.dll)
  • connect (ws2_32.dll)
  • gethostbyname (ws2_32.dll)
  • send (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • recv (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • closesocket (ws2_32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.