Where to Buy Trend Micro Products

For Home

For Small Business

1-888-762-8736
(M-F 8:00am-5:00pm CST)

For Enterprise

1-877-218-7353
(M-F 8:00am-5:00pm CST)

Not in the United States?
Select the country/language of your choice:

Asia Pacific Region

Europe

The Americas

Not in the United States?
Select the country/language of your choice:

Asia/Pacific

Europe

America

Login

For Home

For Business

For Partners

Threat Encyclopedia

BANKER


PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:
INFORMATION EXPOSURE:

  • Threat Type:Trojan

  • Destructiveness:No

  • Encrypted:

  • In the wild: Yes

OVERVIEW

Infection Channel:

Spammed via email, Downloaded from the Internet, Dropped by other malware


BANKER variants may arrive on a system via spammed email messages, or as a file dropped by other malware or unknowingly downloaded by the user when visiting malicious sites.

BANKER malware attempt to steal sensitive information, such as banking credentials and email account details. They employ info-stealing techniques, often times, phishing pages that mimic the official banking sites, to get a user’s bank information, such as user names, passwords, or card codes. The stolen information could then be sent to a predetermined email address, to drop zones in hosted servers or to a URL via HTTP post. The stolen information could also be used to automatically transfer money to a predetermined bank account.

The BANKER malware family is known for stealing account information from users of certain financial institutions. In 2011, BANKER malware became so prevalent that law enforcement agencies have issued a bulletin warning users about its existence.

TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Steals information

Installation

This Trojan drops the following files:

  • %Windows%\wnetsock08.dll
  • %Windows%\Media\AuxImgDll.dll
  • %Current%\AuxImgDll.dll
  • %Current%\Emails.dat
  • %Current%\upset1.dat

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

It drops the following copies of itself into the affected system:

  • %Windows%\Media\HPMedia.exe
  • %Current%\{malware filename}_OLD.jmp

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{malware filename}.exe = "{malware path and filename}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
DrvStart = "%Windows%\Media\HPMedia.exe"

Other Details

This Trojan connects to the following possibly malicious URL:

  • www.{BLOCKED}opliquidation.co.za
  • www. {BLOCKED}ventos.com.br
  • {BLOCKED}ncaprivativa.com.br
  • http:// {BLOCKED}-10. {BLOCKED}d.com/CurrVer.txt
  • http:// {BLOCKED}-10. {BLOCKED}i.com/config.txt
  • http:// {BLOCKED}9-10{BLOCKED}d.com/CurrVer.txt
  • http:// {BLOCKED}6. {BLOCKED}1.238.89/upd/AuxImgDll.dll
  • http://www. {BLOCKED}nsurf.com.ar/n/upd/AuxImgDll.dll
  • http:// {BLOCKED}-10. {BLOCKED}d.com/CurrVer.txt
  • htt :// {BLOCKED}6. {BLOCKED}1.238.89/upd/crss7_V855.exe
  • http://www. {BLOCKED}nsurf.com.ar/n/upd/crss7_V855.exe
  • http:// {BLOCKED}-10. {BLOCKED}d.com/CurrVer.txt
  • http:// {BLOCKED}6. {BLOCKED}1.238.89/upd/AuxImgDll.dll
  • http://www. {BLOCKED}nsurf.com.ar/n/upd/AuxImgDll.dll
  • http:// {BLOCKED}10. {BLOCKED}e.com/config.txt
  • http:// {BLOCKED}teinformatica1. {BLOCKED}ecity.com/configs.jpg
  • {BLOCKED}toneagles.net
  • {BLOCKED}br.teliumhosting.com.br
  • {BLOCKED}iadopovo.inf.br
  • {BLOCKED}s-order.ru
  • {BLOCKED}orldgames.com.br
  • {BLOCKED}77. {BLOCKED}-oficial.ws
  • {BLOCKED}s.net
  • {BLOCKED}tphp.com
  • {BLOCKED}fyuz.net
  • {BLOCKED}logische-praxis-schuler.de
  • {BLOCKED}emas.com
  • {BLOCKED}ncaprivativa.com.br
  • {BLOCKED}wopen.sitepessoal.com
  • {BLOCKED}i.lycos.it
  • {BLOCKED}unicaobr.com
  • www. {BLOCKED}b. {BLOCKED}s.it
  • www. {BLOCKED}ergy.com
  • www. {BLOCKED}-book.ru
  • www. {BLOCKED}fredericosp.com
  • www. {BLOCKED}uca.net
  • www. {BLOCKED}juridicovivo.adv.br
  • www. {BLOCKED}a.com
  • www. {BLOCKED}u.hu
  • www. {BLOCKED}ventos.com.br
  • www. {BLOCKED}l.com.br
  • www. {BLOCKED}goforex.com
  • www. {BLOCKED}video.nl
  • www. {BLOCKED}taanet.com.br
  • www. {BLOCKED}set.com
  • www. {BLOCKED}t.fr
  • www. {BLOCKED}-pictures.ch
  • www. {BLOCKED}arwebmotorsltda.com
  • www. {BLOCKED}ly.com
  • www. {BLOCKED}decidadania.org
  • www. {BLOCKED}i.com.br
  • www. {BLOCKED}ndo.info
  • www. {BLOCKED}obirindelli.com.br
  • www. {BLOCKED}ferre.pessoal.ws
  • www. {BLOCKED}design.co.kr
  • www. {BLOCKED}ejomusicas.com
  • www. {BLOCKED}x.com.br
  • www. {BLOCKED}zz.com
  • www. {BLOCKED}k.com
  • www. {BLOCKED}wushu.at
  • www. {BLOCKED}floralameda.com
  • www. {BLOCKED}cartao766.web.br.com
  • www. {BLOCKED}fdance.msk.ru
  • www. {BLOCKED}e.com

Connect with us on