Trojan-Banker.Win32.Banker.ezn

Summary

• Trojan-Banker. Steals confidential information from banks, financial institutions and payment systems

Technical details

File size of 96256 bytes.

Malicious activity

Steals confidential user information from A malicious program designed to steal user information related to banking and electronic payment systems and bank cards. The information is sent to a cybercriminal via email, ftp, the web or other methods.
Read more details here: http://www.viruslist.com/en/analysis?pubid=204792037the following banks, financial institutions, payment systems:

• Halifax PLC
• Caja Mar
• Hellenic Bank
• Sparkasse
• Newcastle Permanent Building Society
• Wells Fargo Bank
• BRE Bank S.A.
• Fortis Banque Luxembourg
• St.George Bank
• NORD/LB Norddeutsche Landesbank
• E*TRADE FINANCIAL
• Data Processing Center and IT-Service Provider
• Caja Madrid
• Banco de Valencia
• Banco Santander group
• Gruppo Banca Carige
• ScotiaBank
• Co-Operative Bank
• Volksbank
• Lloyds TSB Bank
• Citibank
• Landesbank Baden-Wurttemberg (BW-Bank)
• Poste Italiane
• First Trust Bank
• Adelaide Bank
• HSBC Group
• Visa
• ABN AMRO banking group
• Sanpaolo IMI SpA
• ING Bank
• Bank Of America
• Banca Intesa SpA
• CommonWealthBank
• SEB Bank
• The Suncorp Group
• Smile Internet Bank
• BNP Paribas
• Barclays Bank PLC
• Deutsche Bank
• RAS Bank
• Westpac Banking Corporation
• Dresdner Bank
• Alliance & Leicester
• Banesto
• Royal Bank of Scotland (RBS)
• Banca Generali
• Noris Bank
• Postepay

Creates unique identifiers to flag its presence in the system

• Helper

Other activities

Modifies the system registry keys:

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Helper ] "DName" = "­­"

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Helper ] "GUID" = "lVUV%#V"R:&""U:#$$v:.S'V:#/$" "#S$.&"j"

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Classes\CLSID\{ABA24A5E-155B-433a-9D0A-4835754D3915} ] "(default)" = "Editor plugin"

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Classes\CLSID\{ABA24A5E-155B-433a-9D0A-4835754D3915}\InprocServer32 ] "(default)" = "pecker.dll"

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Classes\CLSID\{ABA24A5E-155B-433a-9D0A-4835754D3915}\InprocServer32 ] "ThreadingModel" = "Apartment"

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Classes\CLSID\{ABA24A5E-155B-433a-9D0A-4835754D3915}\ProgID ] "(default)" = "Soap.1"

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Classes\CLSID\{ABA24A5E-155B-433a-9D0A-4835754D3915}\TypeLib ] "(default)" = "{5B39702E-3389-451b-B7D7-E0CBC123BC2B}"

Deletes the following files on an infected computer:

• <­path to source program­><­file of source program ­>
• Windows system directory (usually, C:\Windows\System32) %System%\cookie.dat
• Windows system directory (usually, C:\Windows\System32) %System%\bb.dat
• Windows system directory (usually, C:\Windows\System32) %System%\ps.dat
• Windows system directory (usually, C:\Windows\System32) %System%\di.gif
• Windows system directory (usually, C:\Windows\System32) %System%\dr.gif
• Windows system directory (usually, C:\Windows\System32) %System%\boa.dat