Win32/Spy.Banker [Threat Name] go to Threat
Win32/Spy.Banker.ADYV [Threat Variant Name]
Category | trojan |
Size | 835584 B |
Short description
Win32/Spy.Banker.ADYV is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine.
Installation
The trojan does not create any copies of itself.
The trojan is usually a part of other malware.
The trojan may install the following system drivers (path, name):
- %windir%\system32\drivers\%variable1%.sys, %variable2%
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\avast! Antivirus]
- "Start" = 4
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\avgwd]
- "Start" = 4
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\AVG Antivirus]
- "Start" = 4
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BavSvc]
- "Start" = 4
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend]
- "Start" = 4
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\AntiVirService]
- "Start" = 4
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
- "AntiVirusDisableNotify" = 1
- [HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer]
- "DisableNotificationCenter" = 1
The trojan may delete the following files:
- %windir%\system32\drivers\%variable1%.sys
- %startup%\%variable3%.lnk
- %appdata%\%variable4%
The trojan may delete the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion]
- "%variable5%" = "%existingrecord%"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable3%" = "%existingrecord%"
A string with variable content is used instead of %variable1-5% .
The trojan may execute the following commands:
- bcdedit.exe /set testsigning Yes
- schtasks.exe /Create /SC ONLOGON /TN "jFEs7TM3" /TR "%malwarecmdline%" /F /RL HIGHEST
- schtasks.exe /Delete /TN "jFEs7TM3" /F
- shutdown.exe -r -f -t 0
Information stealing
Win32/Spy.Banker.ADYV is a trojan that steals sensitive information.
The trojan tries to appear to be legitimate application.
The goal of the malware is to persuade the user to fill in/send sensitive personal information.
The trojan collects the following information:
- login user names for certain applications/services
- login passwords for certain applications/services
- user name
- computer name
- volume serial number
- operating system version
- installed program components under [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID] Registry subkeys
- installed software
- malware version
The trojan attempts to send gathered information to a remote machine. The HTTP protocol is used.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (2) URLs. The TCP protocol is used in the communication.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- update itself to a newer version
- capture screenshots
- shut down/restart the computer
- simulate user's input (clicks, taps)
- simulate mouse activity
- manipulate application windows
- send gathered information
The trojan may hook selected Windows APIs.
The trojan hooks the following Windows APIs:
- LdrLoadDll (ntdll.dll)