HOME > VIRUS ALERTS


VIRUS ALERTS

Win32/Banker

Original issue date: April 23, 2007

It has been observed that a spy trojan known as Win32/Banker is circulating in the wild. The trojan is targeting online bankers. It steals confidential data like logins, passwords, PINs etc that is required to access online banks. Currently the trojan is propagating via e-mail .The email asks the user to install a new "security" feature and tricks to download the malware on the system.

The trojan is capable of bypassing two-factor authentication mechanism operated by online banks.

Aliases: Trojan-Spy:W32/Agent.QY [F-Secure], Trojan-Spy.
Win32.Banker.cmb [ Kaspersky], Spy/BanSpy [Fortinet],
Trj/Wsnpoem.L [Panda]

Upon execution the trojan,

  • Copies itself to %sysdir%\ntos.exe and appends junk data to the end of file.
  • Creates the following directory

%sysdir%\wsnpoem\ (hidden, system attributes)
%sysdir%\wsnpoem\audio.dll - data file
%sysdir%\wsnpoem\video.dll - config file

  • Creates the following registry keys [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\
    CurrentVersion\Run] userinit="%sysdir%\ntos.exe"

    [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\
    CurrentVersion\Run] userinit="%sysdir%\ntos.exe"
  • Modifies the following registry keys [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] Value "Userinit": to

    "%sysdir%\userinit.exe,%sysdir%\ntos.exe,"
  • Injects itself into winlogon.exe
  • Creates the mutex

__SYSTEM__64AD0625__

  • Contacts some malicious IP address to download its config file, check for updates and to transmit harvested data
  • Monitors network activity for the following:
    • *Tan*
    • *Schmetterling*
    • *berweisung*
    • *Amount*
    • *tanentry*
    • *RESULT2*
    • *citibank.de/*
    • I2=*&H0=DT
    • *banking.*/cgi/ueber*.cgi*
    • bankofamerica.com/cgi-bin/ias/*/GotoWelcome
    • https://onlineeast.bankofamerica.com/cgi-
      bin/ias/*/GotoWelcome
    • CustomerServiceMenuEntryPoint?custAction=75

In view of high damage potential users are advised to implement following countermeasures:

  • Keep up-to-date patches and fixes on the operating system
    and application software.
  • Keep up-to-date Antivirus and Antispyware signatures.
  • Do not visit untrusted websites.
  • Exercise caution while opening unsolicited emails and do
    not click on a link embedded within
  • Do not disclose any financial or personal information
    being asked in unsolicited email.
  • Contact your financial institution/ Bank for the authentication of received e-mail.
  • In case your financial or personal information is compromised, immediately contact your financial institution/ Bank and report the same.

References

http://www.viruslist.com/en/viruses/encyclopedia?virusid=154559

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003