Home / malwarePDF  

PWS:Win32/Banker.N


First posted on 05 January 2012.
Source: Microsoft

Aliases :

PWS:Win32/Banker.N is also known as Trojan/Win32.Farko (AhnLab), TrojanSpy.Savnut!7WiXpXEiVzQ (VirusBuster), Trojan-Spy.Win32.Savnut (Ikarus), Trojan-Spy.Win32.Farko.o (Kaspersky).

Explanation :

PWS:Win32/Banker.N is a member of Win32/Banker - a family of data-stealing trojans that captures online banking credentials, such as account login names and passwords, and relays the captured information to a remote attacker.


Top

PWS:Win32/Banker.N is a member of Win32/Banker - a family of data-stealing trojans that captures online banking credentials, such as account login names and passwords, and relays the captured information to a remote attacker.

PWS:Win32/Banker.N disguises itself as "Adobe PDF Reader Link Helper" and is registered on the computer as a Browser Helper Object in order to intercept browser communications.



Installation

PWS:Win32/Banker.N registers its main component as a Browser Helper Object in order to automatically execute when the browser is opened.

It adds the following registry keys as part of its installation.

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C689C99E-3A8C-4c87-A79C-C80DC9C81632}
Sets value: (default)
With data: "adobe pdf reader link helper"

In subkey: HKLM\Software\Classes\linkrdr.AIEbho
Sets value: (default)
With data: "adobe pdf reader link helper"

In subkey: HKLM\Software\Classes\CLSID\{C689C99E-3A8C-4c87-A79C-C80DC9C81632}\InprocServer32
Sets value: (default)
With data: "<Malware file>"



Payload

Steals sensitive information

PWS:Win32/Banker.N monitors URLs of sites visited if they contains the following strings:

  • BANK
  • FIDUCIA.DE
  • DEU
  • WESTPAC


It collects the following information:

  • Computer information
  • Internet browser information
  • Clipboard data
  • Desktop and window screenshots (which it then saves it in the format '%s%d_%010d.vkey.jpg')
  • User credentials, including username and passwords


Logs keystrokes

PWS:Win32/Banker.N has been observed logging keystrokes and mouse clicks. The information collected is saved in a random file in the following format:

"%s%d_%010d%s"

Intercepts user information

PWS:Win32/Banker.N intercepts user information by inserting IFrames into monitored online banking websites.

Additional information

PWS:Win32/Banker.N creates the following mutex to ensure that only one instance of itself is running at any one time:

Adobe_PDF_Reader_Hlp_Mtx



Analysis by Zarestel Ferrer

Last update 05 January 2012

 

TOP

Malware :

Family: