English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsTrojan-Banker.Win32.Banker.ahy

Trojan-Banker.Win32.Banker.ahy

Detected Feb 10 2006 14:33 GMT
Released May 09 2007 20:03 GMT
Published Feb 10 2006 14:33 GMT

Technical Details

This Trojan is designed to steal confidential financial information. The Trojan itself is a Windows PE EXE file. The file size may vary between 356KB to 1MB or more.

Once launched, the Trojan causes the following error message to be displayed:

When installing, the Trojan copies itself to the Windows system and Startup directories as system32.exe:

%Documents and Settings%\All Users\Start Menu\Programs\Startup\system32.exe
%System%\system32.exe

IT then registers this file in the system registry, ensuring that the Trojan will be launched each time Windows is rebooted on the victim machine:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "system32"="%System%\system32.exe"

Other variants of this Trojan may save copies of themselves under different names.

The Trojan scans all open network and Internet resources for links to banking and other financial documents. It harvests information entered via the keyboard (log in and password) and saves this information to a text file which it has created in the Windows system directory.

The Trojan periodically sends this text file to the remote malicious user via email.



Print
Bookmark and Share
Share
Trojans
Trojan-Banker

Trojan-Banker programs are designed to steal user account data relating to online banking systems, e-payment systems and plastic card systems. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.


Other versions
Trojan-Banker.Win32.Banker.ae
Trojan-Banker.Win32.Banker.asq
Trojan-Banker.Win32.Banker.ckj
Trojan-Banker.Win32.Banker.cmb
Trojan-Banker.Win32.Banker.u
Trojan-Banker.Win32.Banker.z

Aliases

Trojan-Banker.Win32.Banker.ahy (Kaspersky Lab) is also known as:

  • Hoax.Win32.Magania.ahy (Kaspersky Lab)
  • Trojan-Dropper.Win32.Banker.ahy (Kaspersky Lab)
  • Trojan.BAT.Banker.ahy (Kaspersky Lab)
  • Trojan-Banker.Win32.Nepoe.ahy (Kaspersky Lab)
  • Trojan-Banker.Win32.Mitglieder.ahy (Kaspersky Lab)
  • Trojan.Win32.Busky.ahy (Kaspersky Lab)
  • Trojan-Spy.Win32.Banker.ahy (Kaspersky Lab)
  • Trojan: PWS-Banker.gen.b (McAfee)
  • Troj/Bnkmr-Fam (Sophos)
  • Trojan.Spy.Banker-5449 (ClamAV)
  • Trj/Banker.ITS (Panda)
  • W32/Banker.ISJ (FPROT)
  • TrojanSpy:Win32/Bancos.gen!A (MS(OneCare))
  • Trojan.PWS.Banker.based (DrWeb)
  • Trojan.Spy.Banker.AHY (BitDef7)
  • Win32:Banker-AGA [Trj] (AVAST)
  • Trojan-Banker.Win32.Banker (Ikarus)
  • PSW.Banker2.NFK (AVG)
  • TR/Spy.Banker.Gen (AVIRA)
  • Infostealer.Bancos!gen (NAV)
  • NseCheckFile2() returned 0x00010018 (Norman)
  • [Suspicious] (Rising)
  • Mal_Banker4 (TrendMicro)

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search