Win32/Spy.Banker [Threat Name] go to Threat
Win32/Spy.Banker.QEP [Threat Variant Name]
| Category | trojan |
| Size | 6560566 B |
| Detection created | Jan 18, 2009 |
| Detection database version | 10453 |
| Aliases | TrojanSpy:Win32/Bancos.DI (Microsoft) |
| Infostealer.Bancos (Symantec) | |
| TR/Autorun.FR (Avira) |
Short description
Win32/Spy.Banker.QEP is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine. The file is run-time compressed using UPX .
Installation
When executed, the trojan copies itself into the following location:
- %localappdata%\ctfmow.exe
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "(Default)" = "%localappdata%\ctfmow.exe"
The following Registry entries are created:
- [HKEY_CURRENT_USER\EnganarAVG]
- [HKEY_CURRENT_USER\Virusinicializar]
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "EnableBalloonTips" = 0
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
- "EnableLUA" = 0
- [HKEY_CURRENT_USER\Software\Sysinternals\PsKill]
- "EulaAccepted" = 1
- [HKEY_CURRENT_USER\Software\Sysinternals\PsExec]
- "EulaAccepted" = 1
The trojan creates the following files:
- C:\windows\Key_RevoltadoNova
The trojan may create the following files:
- C:\Morre.exe (187184 B)
- C:\System.exe (303616 B)
- C:\Permissao.exe (234536 B)
- C:\registros.reg (8944 B)
- C:\setreg.cmd (527 B)
Information stealing
Win32/Spy.Banker.QEP is a trojan that steals sensitive information.
The trojan collects information used to access certain sites.
The trojan affects the behavior of the following applications:
- Internet Explorer
- Mozilla Firefox
- Google Chrome
The virus searches for windows with the title containing any of the following strings:
- Banco Itaú - Feito Para Você - Google Chrome
- Banco Itaú - Feito Para Você - Microsoft Internet Explorer
- Banco Itaú - Feito Para Você - Mozilla Firefox
- Banco Itaú - Feito Para Você - Windows Internet Explorer
- Bradesco - Google Chrome
- Bradesco - Microsoft Internet Explorer
- Bradesco - Mozilla Firefox
- Bradesco - Windows Internet Explorer
- Bradesco Pessoa Jurídica - Microsoft Internet Explorer
- Bradesco Pessoa Jurídica - Windows Internet Explorer
- Credicard - Google Chrome
- Credicard - Mozilla Firefox
- Entrar - Google Chrome
- Entrar - Microsoft Internet Explorer
- Entrar - Mozilla Firefox
- Entrar - PayPal - Google Chrome
- Entrar - PayPal - Microsoft Internet Explorer
- Entrar - PayPal - Mozilla Firefox
- Entrar - PayPal - Windows Internet Explorer
- Entrar - Windows Internet Explorer
- HSBC Bank Brasil S.A. - Banco Múltiplo - Google Chrome
- HSBC Bank Brasil S.A. - Banco Múltiplo - Mozilla Firefox
- Hotmail
- SICREDI Total Internet - Windows Internet Explorer
- Sicredi Total Internet - Microsoft Internet Explorer
- Sicredi Total Internet - Windows Internet Explorer
- Uniclass - Itaú Uniclass - Google Chrome
- Uniclass - Itaú Uniclass - Internet Explorer
- Uniclass - Itaú Uniclass - Microsoft Internet Explorer
- Uniclass - Itaú Uniclass - Mozilla Firefox
- Uniclass - Itaú Uniclass - Windows Internet Explorer
- [bb.com.br] - Mozilla Firefox
- https://www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim&perfil=1 - Google Chrome
- https://www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim&perfil=1 - Microsoft Internet Explorer
- https://www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim&perfil=1 - Windows Internet Explorer
- internetbankingcaixamicrosoftinternetexplorer
- internetbankingcaixawindowsinternetexplorer
The trojan collects various information when Internet Explorer is being used to access the following sites:
- banrisul.com.br/brb/
- facebook.com/
- http://www.itau.com.br/index.htm
- http://www.santanderempresarial.com.br/
- https://accounts.google.com/ServiceLogin
- https://www.credicard.com.br/BRGCB/JSO/signon/DisplayUsernameSignon.do
- https://www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim&perfil=1
- https://wwws3.hsbc.com.br/ITE/common/html/hsbc-online.shtml
- itau.com.br/itaucard/
- serasaexperian.com.br
- sicreditotal.com.br
The trojan displays the following fake dialog boxes:
The goal of the malware is to persuade the user to fill in personal information.
The trojan collects the following information:
- login user names for certain applications/services
- login passwords for certain applications/services
- computer name
- volume serial number
- network adapter information
The collected information is stored in the following file:
- c:\%computername%.txt
The trojan attempts to send gathered information to a remote machine.
The trojan contains a list of (7) addresses. The HTTP, FTP protocol is used.
Other information
The trojan executes the following commands:
- cmd /k del "C:\Arquivos de programas\GbPlugin\." /q
- cmd /k rd "%ProgramFiles%\GbPlugin"
- cmd /k del "C:\Program Files (x86)\GbPlugin\." /q
- cmd /k rd "C:\Program Files (x86)\GbPlugin"
The trojan may execute the following commands:
- net.exe stop sharedaccess
- netsh advfirewall set currentprofile state off
- cmd /k regedit /s c:\registros.reg
- cmd /k taskkill -f /im GbpSv.exe /im explorer.exe
- cmd /k c:\Permissao.exe -i -s c:\setreg.cmd
- cmd /k c:\Morre.exe -t winlogon.exe
The trojan may delete the following files:
- C:\Arquivos de programas\GbPlugin\gbiehcef.dll
- C:\Program Files (x86)\GbPlugin\gbiehcef.dll
- C:\Arquivos de programas\GbPlugin\gbieh.dll
- C:\Program Files (x86)\GbPlugin\gbieh.dll
- C:\Arquivos de programas\GbPlugin\gbiehabn.dll
- C:\Program Files (x86)\GbPlugin\gbiehabn.dll
- C:\Arquivos de programas\GbPlugin\gbiehuni.dll
- C:\Program Files (x86)\GbPlugin\gbiehuni.dll
- C:\Arquivos de programas\Scpad\scpsssh2.dll
- C:\Program Files (x86)\Scpad\scpsssh2.dll
- C:\Arquivos de programas\GbPlugin\gbiehscd.dll
- C:\Program Files (x86)\GbPlugin\gbiehscd.dll
- C:\registros.reg
- C:\setreg.cmd
- C:\Morre.exe
- C:\Permissao.exe
- C:\System.exe
The trojan may delete the following Registry entries:
- [HKEY_CLASSES_ROOT\CLSID\{2E3C3651-B19C-4DD9-A979-901EC3E930AF}]
- [HKEY_CLASSES_ROOT\CLSID\{3F888695-9B41-4B29-9F44-6B560E464A16}]
- [HKEY_CLASSES_ROOT\CLSID\{AF45043F-819C-47CC-9B37-94DBE50A6E63}]
- [HKEY_CLASSES_ROOT\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540000}]
- [HKEY_CLASSES_ROOT\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540003}]
- [HKEY_CLASSES_ROOT\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540007}]
- [HKEY_CLASSES_ROOT\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540008}]
- [HKEY_CLASSES_ROOT\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540011}]
- [HKEY_CLASSES_ROOT\CLSID\{DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931}]
- [HKEY_CLASSES_ROOT\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399003}]
- [HKEY_CLASSES_ROOT\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399007}]
- [HKEY_CLASSES_ROOT\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399008}]
- [HKEY_CLASSES_ROOT\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399011}]
- [HKEY_CLASSES_ROOT\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399F83}]
- [HKEY_CLASSES_ROOT\Gbieh.GbIehObj.1]
- [HKEY_CLASSES_ROOT\Gbieh.GbIehObj]
- [HKEY_CLASSES_ROOT\Gbieh.GbPluginObj.1]
- [HKEY_CLASSES_ROOT\Gbieh.GbPluginObj]
- [HKEY_CLASSES_ROOT\GbpDist.GbpDistObj.1]
- [HKEY_CLASSES_ROOT\GbpDist.GbpDistObj]
- [HKEY_CLASSES_ROOT\Interface\{7827CCC3-0DEB-4CFB-911C-AA777C8826EA}]
- [HKEY_CLASSES_ROOT\Interface\{C41A1C0D-EA6C-11D4-B1B8-444553540000}]
- [HKEY_CLASSES_ROOT\TypeLib\{04978612-A774-406D-AF1B-F44E2838D72A}]
- [HKEY_CLASSES_ROOT\TypeLib\{6B71634C-5867-4D85-BFFE-DF1C322F8B96}]
- [HKEY_CLASSES_ROOT\TypeLib\{9CA261C7-D518-4987-B434-10A1B243C8B8}]
- [HKEY_CLASSES_ROOT\TypeLib\{AD764BE6-87A7-46A1-8C55-A712D079E749}]
- [HKEY_CLASSES_ROOT\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540000}]
- [HKEY_CLASSES_ROOT\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540003}]
- [HKEY_CLASSES_ROOT\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540007}]
- [HKEY_CLASSES_ROOT\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540008}]
- [HKEY_CLASSES_ROOT\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540011}]
- [HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_GBPSV]
- [HKEY_CURRENT_USER\Software\GbPlugin]
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2E3C3651-B19C-4DD9-A979-901EC3E930AF}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F888695-9B41-4B29-9F44-6B560E464A16}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3717295-941D-416F-9384-ED1736729F1C}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF45043F-819C-47CC-9B37-94DBE50A6E63}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540000}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540003}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540007}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540008}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540011}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399003}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399007}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399008}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399011}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399F83}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Gbieh.GbIehObj.1]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Gbieh.GbIehObj]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Gbieh.GbPluginObj.1]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Gbieh.GbPluginObj]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GbpDist.GbpDistObj.1]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GbpDist.GbpDistObj]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7827CCC3-0DEB-4CFB-911C-AA777C8826EA}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C41A1C0D-EA6C-11D4-B1B8-444553540000}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{04978612-A774-406D-AF1B-F44E2838D72A}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{6B71634C-5867-4D85-BFFE-DF1C322F8B96}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9CA261C7-D518-4987-B434-10A1B243C8B8}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AD764BE6-87A7-46A1-8C55-A712D079E749}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540000}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540003}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540007}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540008}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540011}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GbPluginAbn]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GbPluginBb]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GbPluginCef]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GbPluginScd]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GbPluginUni]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GbPluginBb]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GbPluginCef]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C41A1C0E-EA6C-11D4-B1B8-444553540000}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{E37CB5F0-51F5-4395-A808-5FA49E399F83}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\WINDOWS\system32\scpLIB.dll]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\WINDOWS\system32\scpMIB.dll]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\WINDOWS\system32\scpsssh2.dll]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E37CB5F0-51F5-4395-A808-5FA49E399F83}]
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GBPKM]
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GBPSV]
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_GBPSV]
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_GBPSV]
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GbpKm]
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GbpSv]
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_GBPSV]
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_GBPSV]
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\GbpKm]
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\GbpSv]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GBPKM]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GBPSV]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_GBPSV]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_GBPSV]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GbpKm]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GbpSv]
- [HKEY_USERS\S-1-5-21-854245398-1708537768-2147221027-1003\Software\GbPlugin]
The trojan may perform operating system restart.