Where to Buy Trend Micro Products

For Home

For Small Business

1-888-762-8736
(M-F 8:00am-5:00pm CST)

For Enterprise

1-877-218-7353
(M-F 8:00am-5:00pm CST)

Not in the United States?
Select the country/language of your choice:

Asia Pacific Region

Europe

The Americas

Not in the United States?
Select the country/language of your choice:

Asia/Pacific

Europe

America

Login

For Home

For Business

For Partners

Threat Encyclopedia

TSPY_BANCOS


PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:

  • Threat Type:Spyware

  • Destructiveness:No

  • Encrypted:

  • In the wild: Yes

OVERVIEW

Infection Channel:

Spammed via email, Downloaded from the Internet, Dropped by other malware


BANKER variants may arrive on a system via spammed email messages, or as a file dropped by other malware or unknowingly downloaded by the user when visiting malicious sites.

BANKER malware attempt to steal sensitive information, such as banking credentials and email account details. They employ info-stealing techniques, often times, phishing pages that mimic the official banking sites, to get a user’s bank information, such as user names, passwords, or card codes. The stolen information could then be sent to a predetermined email address, to drop zones in hosted servers or to a URL via HTTP post. The stolen information could also be used to automatically transfer money to a predetermined bank account.

The BANKER malware family is known for stealing account information from users of certain financial institutions. In 2011, BANKER malware became so prevalent that law enforcement agencies have issued a bulletin warning users about its existence.

TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Steals information

Installation

This spyware drops the following files:

  • %Windows%\wnetsock08.dll
  • %Windows%\Media\AuxImgDll.dll
  • %Current%\AuxImgDll.dll
  • %Current%\Emails.dat
  • %Current%\upset1.dat

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

It drops the following copies of itself into the affected system:

  • %Windows%\Media\HPMedia.exe
  • %Current%\{malware filename}_OLD.jmp

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{malware filename}.exe = "{malware path and filename}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
DrvStart = "%Windows%\Media\HPMedia.exe"

Other Details

This spyware connects to the following possibly malicious URL:

  • www. {BLOCKED}uca.net
  • www. {BLOCKED}juridicovivo.adv.br
  • www. {BLOCKED}a.com
  • www. {BLOCKED}u.hu
  • www. {BLOCKED}ventos.com.br
  • www. {BLOCKED}l.com.br
  • www. {BLOCKED}goforex.com
  • www. {BLOCKED}video.nl
  • www. {BLOCKED}taanet.com.br
  • www. {BLOCKED}set.com
  • www. {BLOCKED}t.fr
  • www. {BLOCKED}-pictures.ch
  • www. {BLOCKED}arwebmotorsltda.com
  • www. {BLOCKED}ly.com
  • www. {BLOCKED}decidadania.org
  • www. {BLOCKED}i.com.br
  • www. {BLOCKED}ndo.info
  • www. {BLOCKED}obirindelli.com.br
  • www. {BLOCKED}ferre.pessoal.ws
  • www. {BLOCKED}design.co.kr
  • www. {BLOCKED}ejomusicas.com
  • www. {BLOCKED}x.com.br
  • www. {BLOCKED}zz.com
  • www. {BLOCKED}k.com
  • www. {BLOCKED}wushu.at
  • www. {BLOCKED}floralameda.com
  • www. {BLOCKED}cartao766.web.br.com
  • www. {BLOCKED}fdance.msk.ru
  • www. {BLOCKED}e.com
  • www.{BLOCKED}opliquidation.co.za
  • www. {BLOCKED}ventos.com.br
  • {BLOCKED}ncaprivativa.com.br
  • http:// {BLOCKED}-10. {BLOCKED}d.com/CurrVer.txt
  • http:// {BLOCKED}-10. {BLOCKED}i.com/config.txt
  • http:// {BLOCKED}9-10{BLOCKED}d.com/CurrVer.txt
  • http:// {BLOCKED}6. {BLOCKED}1.238.89/upd/AuxImgDll.dll
  • http://www. {BLOCKED}nsurf.com.ar/n/upd/AuxImgDll.dll
  • http:// {BLOCKED}-10. {BLOCKED}d.com/CurrVer.txt
  • htt :// {BLOCKED}6. {BLOCKED}1.238.89/upd/crss7_V855.exe
  • http://www. {BLOCKED}nsurf.com.ar/n/upd/crss7_V855.exe
  • http:// {BLOCKED}-10. {BLOCKED}d.com/CurrVer.txt
  • http:// {BLOCKED}6. {BLOCKED}1.238.89/upd/AuxImgDll.dll
  • http://www. {BLOCKED}nsurf.com.ar/n/upd/AuxImgDll.dll
  • http:// {BLOCKED}10. {BLOCKED}e.com/config.txt
  • http:// {BLOCKED}teinformatica1. {BLOCKED}ecity.com/configs.jpg
  • {BLOCKED}toneagles.net
  • {BLOCKED}br.teliumhosting.com.br
  • {BLOCKED}iadopovo.inf.br
  • {BLOCKED}s-order.ru
  • {BLOCKED}orldgames.com.br
  • {BLOCKED}77. {BLOCKED}-oficial.ws
  • {BLOCKED}s.net
  • {BLOCKED}tphp.com
  • {BLOCKED}fyuz.net
  • {BLOCKED}logische-praxis-schuler.de
  • {BLOCKED}emas.com
  • {BLOCKED}ncaprivativa.com.br
  • {BLOCKED}wopen.sitepessoal.com
  • {BLOCKED}i.lycos.it
  • {BLOCKED}unicaobr.com
  • www. {BLOCKED}b. {BLOCKED}s.it
  • www. {BLOCKED}ergy.com
  • www. {BLOCKED}-book.ru
  • www. {BLOCKED}fredericosp.com

Featured Stories

Connect with us on