English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsTrojan-Banker.Win32.Banker.ae

Trojan-Banker.Win32.Banker.ae

Detected Apr 26 2004 12:40 GMT
Released Apr 26 2004 12:40 GMT
Published Oct 31 2006 09:55 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan program is designed to steal a range of confidential information. It harvests information entered via the keyboard. It is a Windows PE EXE file. The file is 5,184 bytes in size. It is packed using FSG. The unpacked file is approximately 22KB in size.

Installation

When launched, the Trojan copies its executable file to the Windows root directory under the original file name:

%WinDir%\<original name of Trojan file>

In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan registers its executable file in the system registry:

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OLE"="<path to Trojan executable file>:"

The Trojan also extracts the following DLL file from its body:

%WinDir%\HookerDll.Dll

It then loads the DLL file.


Payload

When HookerDll.Dll is loaded, mouse and keyboard events will be intercepted. This enables to Trojan to track information entered in windows whose headings contain the following strings:

:: WMcards.com :: Customer Support
Acceso a Banca por Internet
Accueil Bred.fr > Espace Bred.fr
American Express UK - Personal Finance
ANZ E*TRADE
ANZ Internet Banking
Banco Popular - Internet Banking
Banesnet Particulares
BankSA Internet Banking Logon Page
Banque en ligne
Banque Populaire
Barclaycard Merchant Services
Business Banking Online Login Page
Citibank Australia
Collegamento a Scrigno
Commercial Electronic Office Sign On
Commonwealth Securities Limited
Credit Lyonnais interactif
CyberMUT
directshares
Discover Card: Account Center Log In
E*TRADE Log On
e-Bullion: Account Login
e-gold Account Access
Fleet HomeLink Online Banking and Investing
FX Online Sphinx Login Page
Home Page Banca Intesa
HSBC Internet banking
https://www.tradeportal.proponix.com
iKobo Money Transfer
Managed Funds and Superannuation Online - Login
MasterCard Connections Online - Welcome
Merchant Administration
moneybookers.com - and money moves
Nationwide Building Society - On-line banking
NetBank - Logon
Online Services - Account Login
online@hsbc
OrbitPay.net - The Payment Processor Of Choice!
PNC Bank - Account Link for Business
SAAM Login
St George Treasury: Client Logon
St.George Internet Banking Logon Page
SUNCORP METWAY
SunTrust Online Banking
Tous les produits et services
Ventura County Business Bank Online Banking
VeriSign Partner Manager
VeriSign Personal Trust Service
Wachovia Online Business Banking
Washington Mutual - Log On
Welcome to Citi
Welcome to National Internet Banking
Wells Fargo - Small Business Home Page
Westpac Internet - Sign In
Westpac Internet Banking

Information entered via the keyboard is saved to the following file:

WinDir%\krk.txt

and sent to the remote malicious user at the following email address:

netbank***@mailgate.ru

The Trojan also performs the following actions:

  • launches a stream which will periodically delete the contents of the Windows clipboard
  • delete URLs which contain the string "Cookie" from the cache.

Removal instructions

  1. Use Task Manager to terminate the Trojan process:
  2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  3. Delete the following files:
    %WinDir%\<original name of Trojan file>
    %WinDir%\HookerDll.Dll
    %WinDir%\krk.txt
  4. Delete the following registry value:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "OLE"="<path to Trojan executable file>:"
  5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).


Print
Bookmark and Share
Share
Trojans
Trojan-Banker

Trojan-Banker programs are designed to steal user account data relating to online banking systems, e-payment systems and plastic card systems. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.


Other versions
Trojan-Banker.Win32.Banker.ahy
Trojan-Banker.Win32.Banker.asq
Trojan-Banker.Win32.Banker.ckj
Trojan-Banker.Win32.Banker.cmb
Trojan-Banker.Win32.Banker.u
Trojan-Banker.Win32.Banker.z

Aliases

Trojan-Banker.Win32.Banker.ae (Kaspersky Lab) is also known as:

  • Trojan-Spy.Win32.Banker.ae (Kaspersky Lab)
  • ..Banker.ae (Kaspersky Lab)
  • TrojanSpy.Win32.Banker.ae (Kaspersky Lab)
  • Trojan: Keylog-Stawin (McAfee)
  • Troj/Banker-CIH (Sophos)
  • Trojan.Banker-25 (ClamAV)
  • Heuristic.WinPE-Statistical (Panda)
  • W32/Banker.GPM (FPROT)
  • TrojanSpy:Win32/Banker.AE (MS(OneCare))
  • Trojan.PWS.Banker.4594 (DrWeb)
  • Win32/Spy.Banker.AE trojan (Nod32)
  • Trojan.Generic.742859 (BitDef7)
  • Packed/FSG (VirusBuster)
  • Win32:Trojan-gen (AVAST)
  • Trojan-Spy.Win32.Banker.ae (Ikarus)
  • PSW.Tofger.2.AF (AVG)
  • TR/Crypt.FSPM.Gen (AVIRA)
  • Infostealer.Tarno.D (NAV)
  • Suspicious_F.gen (Norman)
  • Keylog-Stawin (NAI)
  • Trojan.Spy.Banker.CLP (Rising)
  • Trojan-Banker.Win32.Banker.ae [AVP] (FSecure)
  • Packed/FSG (VirusBusterBeta)

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search