Internet threat level: 1
Read us on
Home→Descriptions→Trojan-Banker.Win32.Banker.asq
Trojan-Banker.Win32.Banker.asq
| Detected | Feb 04 2006 00:18 GMT |
| Released | Feb 04 2006 00:56 GMT |
| Published | Nov 30 2006 16:01 GMT |
Technical Details
Payload
Removal instructions
Payload
Removal instructions
Technical Details
This Trojan will steal confidential user data when the user visits certain websites. It is a Windows PE EXE file. The file is 62,476 bytes in size. It is packed using Upack. The unpacked file is approximately 319KB in size. It is written in Borland C++.
Installation
When launched, the Trojan will copy its executable file as:
%System%\scvhost.exe
The original Trojan file will then be deleted.
In order to ensure that the Trojan is launched automatically each time Windows is restarted, the Trojan registers its executable file in the system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Internet Explorer Helper" = "%System%\scvhost.exe"
"Internet Explorer Helper" = "%System%\scvhost.exe"
Payload
The Trojan uses a Browser Helper Object to track user activity within Internet Explorer.
The Trojan protocols the following user actions:
- opening URLs
- Actions which the user carries out with web form components - tracking the user’s choice of radio buttons, checkboxes, keys pressed, component names. The Trojan sends this information to the remote malicious user’s site.
- If the user enters information in a text field with one of the names listed below, the information will be sent to the remote malicious user’s site.
answer cajamadrid ccpin citibank clave ClaveAcceso_s cliente codigo D1 D33 Documento_s firma firma Firma1 identifica key logonID memorable NumeroCliente_s NumeroUsuario_s parol pass passphrase passwd passwd passwd2 password Password password pasw pin pin2 pwd pwd2 secret secur secure segur servicio tan tan2 TipoId_s userid username
On web sites with addresses which contain the strings listed below (left hand column) the Trojan gets the information from the fields listed below (right hand column) and sends this information to the remote malicious user’s site.
| Address contains: | Name of field |
| bbvanet | Usertext Password pw2 username2 nombre tripleta |
| Bancopopular | Bancopopular PAN_IN contras_IN UserName Password ATHPIN Pin |
| Bancaja | Pan Pin |
| Caixapenedes | efUsuario efPassword |
| Caixasabadell | Usuario pin |
| santandercentralhispano | Usuario Indicador empresa_grupo empresa_usuario clave empresa_clave |
| caixatarragona | Usuari HB_PSW_FINAL_CONEX2 |
| ruralvia | USUARIO PASS FIRMA |
| cajasur | PAN PIN1 |
| ibercajadirecto | Codidentific PIN Clavefirma |
| ebankinter | Username Password txtMascara |
| banesto | Opnumerocod Oppasswd Opusuario |
| caixaebanking | EMPRESA CONTRATO COD_ACESSO |
| hsbc.com.au | PBN password |
| lloydstsb.co.uk | UserId1 Password ResponseKey0 ResponseKey1 ResponseKey2 ResponseValue0 ResponseValue1 ResponseValue2 |
| .e-gold.com | AccountID PassPhrase |
| .banking.uboc.com | UserID pinNumber |
| .etrade.com | USER PASSWORD |
| .bnyonline.com | USERID PASSWORD |
| .tdcommercialbanking.com | lang ConnectID connectIdDescription password |
| .bankcolonial.com | Username Password |
| .harrisbank.com | Username Password |
| .wamu.com | txtUserID pwdPassword |
| .firsthorizon.com | DetectDemoMode.UserName DetectDemoMode.Password |
| .firstmeritib.com | ctlLogin1:txtUsername ctlLogin1:txtPassword |
| .flagstarbanking2.com | userNumber password |
| .frostbank.com | userName password |
| .hibernia.com | User Pin |
| .hcsbonline.com | userNumber password |
| .huntington.com | USER PIN |
| .mandtbank.com | txtUserID txtPasscode |
| .mbna | username password |
| .secure-banking.com | v1 v2 v3 |
| .ibanking-services.com | userid password |
| .midamericabank.com | username password |
| .nationalcity.com | UserName Password |
| .navyfcu.org | comboLogonNumber userid passwrd |
| .ncsecu.org | Header1:SignOn1:txtUserID Header1:SignOn1:txtPassword userid password |
| .mynfbonline.com | tbCustomer_ID tbPassword |
| .ohiosavings.com | UserID Password |
| .oldnational.com | user PIN |
| .peoples.com | profilename profilepassword |
| .rbccentura.com | K1 Q1 |
| .regionsbank.com | j_username j_password |
| .statefarm.com | userID password |
| .tcfbank.com | j_username j_password |
| .tdbanknorth.com | textfield textfield2 |
| .thirdfederalonline.com | userNumber password |
| .openbank.com | j_username j_password companyID |
| .vbankworks.com | UserName Password |
| .websterbank.com | username password |
| .whitneybank.com | accessCode pinx |
| .wilmingtontrust.com | userid password |
| .worldsavings.com | UserName Password |
| .zionsbank.com | j_username j_password |
| tarjeta | pin Coordenada |
| .commbank.com.au | USER_LOGON_NAME PASSWORD |
| .dab-bank.com | authentificationnumberLogin pinLogin |
| .ebank.hsbc.com.hk | LogonID Pin PIN |
| .barclays.co.uk | membershipNo passCode surname firstMDC secondMDC |
| .national.com.au | userid password |
| nbd.ae | loginName password pin |
| .allianz.de | userId password |
| .smile.co.uk | sortCode accountNumber visaCardNumber passNumber |
| .westpac.com.au | username pwd |
| .abbeynational.co.uk | ID PASSCODE ERN inputuserid inputmemorableAddress sec_id |
| .cajamar.es | NUME PASSWORD |
| .cbdonline.ae | txtUserCode txtPassword |
| .ccm.es | CLIENTE PIN |
| .co-operativebank.co.uk | sortCode accountNumber visaCardNumber passNumber |
| .samba.com | username password |
| .unb.com | CustID Password |
| .unicaja.es | user pwd oper |
| .hangseng.com | lang_version u_LogonID DOSI Pin |
| .bankone.com | bolAccessId bolPassword |
| .bankofamerica.com | id pc |
| .chase.com | usr_name_input usr_password_input |
| .rfh.org.uk | txtLogin txtPassword |
| .wachovia.com | userid password |
| .aibgbonline.co.uk | RegNo PAC1 PAC2 |
| .rbttnetbank.com | Login Password WhichBrowser ValidationReq |
| .bfc-ag.com | identifiant motpasse |
| .firstcaribbeanbank.com | fldLoginUserId fldPassword fldLangId |
| .ncbelink.com | CorporateSignonCorpId CorporateSignonPassword |
| .sknanb.net | txtName txtPassword |
| .ccb.ai | Username Password |
| .fcb-e-bank.com | user passwd |
| .privatebankslu.com | df_username df_password |
| .bankofcyprus.com | CustomerID PIN resolution browser |
| .bankofcyprus.co.uk | id password |
| .hellenicnetbanking.com | Subscriber password |
| .griffonbank.com | Login Password |
| .angloconnect.co.im | txtClientNo txtPIN1 txtPIN2 txtPIN3 txtPIN4 txtPIN5 txtPIN6 txtCodeWord username password |
| .closepb.com | AuthLogonUser AuthLogonPWD |
| .royalbank.com | K1 Q1 SIP_PVQ_ANS |
| .1stdigibank.com | Login Password |
| .raiffeisen.at | PIN LOGINBKLZ2 |
| .slsp.sk | user_id pwd autc ac |
| .netbanking.at | user_id password |
| .banking.co.at | verfueger verfuegerName pin |
| .sparkasse-dueren.de | KONTONUMMER |
| .nrsbank.dk | userid password |
| .cajalaboral.com | usuario password |
| .banquepopulaire.fr | abonne passwd userid password |
| .finaref.fr | n_compte code |
| .bnpparibas.net | ch1 ch2 |
| .dahsing.com | AID operatore PWD |
| .bancalombarda.it | userid password |
| .postbank.nl | strUserID strPassword |
| .mbank.com.pl | txtCustNbr txtPassword |
| .multibank.pl | txtCust txtPassword |
| proxy-socks.net | login pass |
| .deltabank.ru | login pswd |
| .sebank.se | A1 A2 |
| .hsbc.ca | loginID password |
| .householdbank.com | userid password |
| .merrickbank.com | SimpleLogin:UserName SimpleLogin:Password |
| .crosscountrybanking.com | user pass |
| .easybank.at | tn pin |
| .credicard.com.br | numero senha |
| .americanexpress.com | UserID Password |
| .cim-italia.it | userAdmin pwdUser userUtente userlevis pwdUtente |
| .bancagenerali.it | userBean.userid userBean.password |
| .myvirtualcard.com | username password |
| .unicreditbanca.it | username autentication |
| .webank.it | username password |
| .bancaroma.it | S_userid S__password |
| .japannetbank.co.jp | TenNo KozaNo Pw |
| .alliance-leicester.co.uk | txtCustomerID txtPassnumber |
| .aibgbonline.co.uk | pacPosition1 pacPosition2 RegNo PAC1 PAC2 txtExtraSec |
| .iblogin.com | UserId Password agreementId1 agreementId2 agreementId3 agreementId4 |
| .bankofscotlandhalifax-online.co.uk | Username password answer |
| .berliner-volksbank.de | snrMServiceDirekt_Nummer pinMPIN |
| .commerzbanking.de | PltLogin_8_Anmeldename PltLogin_8_Pin |
| .deutsche-bank.de | Branch AccountNumber SubAccount PIN |
| .dresdner-privat.de | identifier |
| .hsh-nordbank.de | userName passwort |
| .norisbank.de | kontonummer pin |
| .postbank.de | accountNumber pinNumber |
| .seb.de | userid pin tan |
| .bics.fr | txt_pseudo txt_motDePasse |
| .caixabank.fr | ID PIN |
| .creditmutuel.fr | _cm_user _cm_pwd |
| .bybank.it | username password |
| .sella.it | UserId Password |
| .anz.com | USERIDF PINF |
| .asbbank.co.nz | usercode password |
| .nbnz.co.nz | userid password |
| .teacherscreditunion.com.au | iName iPassword |
| .westpac.co.nz | customerId passwd |
| .bmo.com | FBC_Number FBC_Password |
| .telebank.ru | unc pass key |
| money.yandex.ru | login passwd |
| .paymer.com | frmLogin:txtLogin frmLogin:txtPwd nav:_ctl0:pCheck:txtOrderNumber nav:_ctl0:pCheck:txtOrderCode |
| .rapida.ru | tp_pser_numb tp_pcard_numb tp_pcardskey_val |
| rupay.com | user_email user_pass |
| .chronopay.com | username password |
| fethard.biz | login pwd |
| .stormpay.com | Email Password |
| .telepat.ru | CodeCountry PhoneNumber PinCode |
| yahoo.com | login passwd |
| google.com | Email Passwd |
| login.passport.net | login passwd |
| .unibo.it | username password |
| .unife.it | loginname password |
| .mail.ru | Login Domain Password |
| .hotmail.ru | login client passwd |
| yandex.ru | login passwd |
The Trojan will also send information about the operating system version and screen resolution used to the remote malicious user.
The Trojan uses the WNetEnemCachedPasswords undocumented function to harvest all passwords which have been saved to the victim machine, and sends them to the remote malicious user's site.
POP3 User Name
POP3 Server
POP3 Password2
POP3 Server
POP3 Password2
from the following registry entry:
[HKCU\Software\Microsoft\Internet Account Manager\Accounts]
and sends them to the remote malicious user.
In order to transmit harvested information, the Trojan periodically connects to http://http.acid-burn.info/loger.php and transmits the harvested information as HTTP request parameters.
Removal instructions
- Use Task Manager to terminate the Trojan process (it may be called scvhost.exe)
- Delete the following file:
%System%\scvhost.exe
- Delete the following system registry key parameter:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Internet Explorer Helper="%System%\scvhost.exe"- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus.)
- Delete the following system registry key parameter:
Trojan-Banker
Trojan-Banker programs are designed to steal user account data relating to online banking systems, e-payment systems and plastic card systems. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.
Other versions
Aliases
Trojan-Banker.
- Trojan-Spy.
Win32. Banker. asq (Kaspersky Lab) - Trojan:
PWS-Banker!fcn (McAfee) - Mal/Emogen-AA (Sophos)
- Trj/Banker.
BVY (Panda) - Trojan:
Win32/Malex. gen!F (MS(OneCare)) - Trojan.
PWS. Ageloc (DrWeb) - Win32/Spy.
Banker. AQU trojan (Nod32) - Generic.
Banker. OT. 724BF5E9 (BitDef7) - Trojan.
PWS. Banker. CQTK (VirusBuster) - Trojan-Banker.
Win32. Banker (Ikarus) - TR/Unpacked.
Gen (AVIRA) - Infostealer.
Bancos (NAV) - W32/Obfuscated.
FA (Norman) - Packer.
Win32. Agent. bk [Suspicious] (Rising) - Trojan-Banker.
Win32. Banker. asq [AVP] (FSecure) - TROJ_Gen.
MZ40L8 (TrendMicro) - Trojan.
Win32. Generic!SB. 0 (Sunbelt) - Trojan.
PWS. Banker. CQTK (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.