Internet threat level: 1
Home→Descriptions→Trojan-Banker.Win32.Banker.ckj
Trojan-Banker.Win32.Banker.ckj
| Detected | Apr 06 2007 08:58 GMT |
| Released | Jun 19 2007 08:24 GMT |
| Published | Apr 06 2007 08:58 GMT |
Payload
Removal instructions
Technical Details
This Trojan intercepts confidential user data. It is a Windows PE EXE file, 29KB in size, packed using MEW. The unpacked file is approximately 225KB in size.
Installation
When launched, the Trojan extracts from itself the following file, which is 41,472 bytes in size:
%System%\msie.dll
The Trojan also registers this file in the system registry, ensuring that it will be launched each time Windows is booted on the victim machine:
"AppInit_DLLs" = "%System%\msie.dll"
The Trojan then deletes its executable file and ceases running.
Payload
The Trojan component %System%\msie.dll installs hooks for the following API functions:
InternetCrackUrl InternetConnectA HttpOpenRequestA HttpSendRequestA InternetReadFile
The Trojan uses these hooks to track user activity on the following sites:
ibank.barclays.co.uk/olb/t/LoginMember.do
ibank.barclays.co.uk/olb/t/LoginMembers.do
ibank.barclays.co.uk/olb/t/LoginsMembers.do
wellsfargo.com
bankofamerica.com
online.lloydstsb.co.uk
oi.cajamadrid.es
bannerbank.ru
ad.yieldmanager.com
iv.doubleclick.nets
e-gold.com/acct/balance.asp
e-gold.com/acct/confirm.asp
e-gold.com/acct/spend.asp
e-gold.com/acct/redeem.asp
e-gold.com/acct/history.asp
e-gold.com/acct/ai.asp
e-gold.com/acct/logout.asp
e-gold.com/acct/acct.asp
internetbanking.gad.de
vr-networld-ebanking.de
citibank.de
On these sites, the Trojan will intercept information values entered in fields with the following names:
AccountID StoreMyNumber PassPhrase Turing Amount autoT1 autoT2 Id Payee_Account Login Spend Schmetterling
The Trojan also harvests Microsoft Office account passwords..
The Trojan saves harvested data to the following log files:
%System%\info.dat %System%\ms.dat
These files are periodically uploaded to the remote malicious user’s FTP server.
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the Trojan process.
- Delete the original Trojan file (its location will depend on how the program originally penetrated the victim machine).
- Delete the following files:
%System%\msie.dll %System%\info.dat %System%\ms.dat
- Delete the following registry key parameter:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs" = "%System%\msie.dll"
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Trojan-Banker programs are designed to steal user account data relating to online banking systems, e-payment systems and plastic card systems. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.
Trojan-Banker.
- Trojan-Spy.
Win32. Banker. ckj (Kaspersky Lab) - Mal/Behav-177 (Sophos)
- Malicious Packer (Panda)
- W32/Trojan-Dlr-SysWrt!Eldorado (FPROT)
- Trojan.
PWS. GoldSpy (DrWeb) - Trojan.
Generic. 190189 (BitDef7) - Packed/MEW (VirusBuster)
- Win32:
Goldun-JF [Trj] (AVAST) - PSW.
Banker3. MPM (AVG) - TR/Crypt.
XDR. Gen (AVIRA) - NseCheckFile2() returned 0x00010018 (Norman)
- Cryp_MEW-11 (TrendMicro)
- Packed/MEW (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.