English

Log in

Search

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Follow us on

Home→Descriptions→Trojan-Banker.Win32.Banker.cmb

Trojan-Banker.Win32.Banker.cmb

Detected	Mar 28 2007 08:28 GMT
Released	Mar 30 2007 06:28 GMT
Published	Mar 28 2007 08:28 GMT

Manual description Auto description

This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program.

Technical Details
Payload
Removal instructions

Technical Details

This Trojan program is designed to steal confidential data. It is a Windows PE EXE file, and is 34304 bytes in size. It is packed using a customized packer.

The Trojan copies itself to

%sysdir%\ntos.exe

with system, read only and archive attributes.

When copying it appends random-sized junk to the end of its file in an attempt to make detection more difficult. It does not modify the PE header.

It creates the following directory:

%sysdir%\wsnpoem\ (hidden, system attributes)

%sysdir%\wsnpoem\audio.dll - data file 
%sysdir%\wsnpoem\video.dll - config file

The Trojan adds itself to the following registry keys:

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
userinit="%sysdir%\ntos.exe"


[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
userinit="%sysdir%\ntos.exe"

It modifies:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Value "Userinit":

from

"%sysdir%\userinit.exe,"

to

"%sysdir%\userinit.exe,%sysdir%\ntos.exe,"

The Trojan injects itself into winlogon.exe and from there on functions as a handle.

It creates the following mutex:

__SYSTEM__64AD0625__

to flag its presence in the system.

Payload

The Trojan contacts 81.95.148.244 to download its config file, check for updates and to transmit harvested data.

It accesses PStore to retrieve passwords.

It also monitors network activity for the following:

*Tan*

*Schmetterling*

*berweisung*

*Amount*

*tanentry*

*RESULT2*

*citibank.de/*

I2=*&H0=DT

*banking.*/cgi/ueber*.cgi*

bankofamerica.com/cgi-bin/ias/*/GotoWelcome

https://onlineeast.bankofamerica.com/cgi-bin/ias/*/GotoWelcome

CustomerServiceMenuEntryPoint?custAction=75

The Trojan captures information submitted via POST by browser to steal login data from sites.

Captured data is transferred via FTP.

Removal instructions

Use Kaspersky Anti-Virus 6.0 to delete the Trojan. Update your antivirus databases and perform a full scan of your computer (download a trial version of Kaspersky Anti-Virus).

Print

Share

Malicious programs

Trojans

Trojan-Banker

Trojan-Banker programs are designed to steal user account data relating to online banking systems, e-payment systems and plastic card systems. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.

Other versions

Trojan-Banker.Win32.Banker.ae

Trojan-Banker.Win32.Banker.ahy

Trojan-Banker.Win32.Banker.asq

Trojan-Banker.Win32.Banker.ckj

Trojan-Banker.Win32.Banker.u

Trojan-Banker.Win32.Banker.z

Aliases

Trojan-Banker.Win32.Banker.cmb (Kaspersky Lab) is also known as:

Trojan-Spy.Win32.Banker.cmb (Kaspersky Lab)
Trj/Banker.FWD (Panda)
Trojan:Win32/Banker.dam#2 (MS(OneCare))
Trojan.PWS.Banker.9261 (DrWeb)
Trojan-Spy.Win32.Zbot.adj (Ikarus)
TR/Crypt.XPACK.Gen (AVIRA)
Trojan Horse (NAV)
Zbot.AM (Norman)
Packer.Win32.UnkPacker.a [Suspicious] (Rising)
TROJ_BANKER.HLR (TrendMicro)

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.