Trojan-Spy.Win32.Banker.ahy (Kaspersky Lab)
is also known as:
PWS-Banker.gen.b (McAfee), PWSteal.Banpaes (Symantec), Trojan.PWS.Banker.based (Doctor Web), Troj/Bancb-Fam (Sophos), TSPY_BANKER.ACH (Trend Micro), TR/Spy.Banker.aew.4 (H+BEDV), Trojan.Banker.Delf.18834487 (SOFTWIN), Trojan.Spy.Banker-97 (ClamAV)
| Detection added |
Oct 18 2005 12:23 GMT |
| Update released |
Oct 18 2005 13:29 GMT |
| Description added |
Feb 17 2006 |
| Behavior |
TrojanSpy |
This Trojan is designed to steal confidential financial information. The Trojan
itself is a Windows PE EXE file. The file size may vary between 356KB to 1MB
or more.
Once launched, the Trojan causes the following error message to be displayed:
When installing, the Trojan copies itself to the Windows system and Startup
directories as system32.exe:
%Documents and Settings%\All Users\Start Menu\Programs\Startup\system32.exe
%System%\system32.exe
IT then registers this file in the system registry, ensuring that the Trojan
will be launched each time Windows is rebooted on the victim machine:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"system32"="%System%\system32.exe"
Other variants of this Trojan may save copies of themselves under different
names.
The Trojan scans all open network and Internet resources for links to banking
and other financial documents. It harvests information entered via the keyboard
(log in and password) and saves this information to a text file which it has
created in the Windows system directory.
The Trojan periodically sends this text file to the remote malicious user
via email.
