Home / malware TrojanSpy:Win32/Banker.AEJ!cfg
First posted on 10 March 2012.
Source: MicrosoftAliases :
TrojanSpy:Win32/Banker.AEJ!cfg is also known as Win32/Spy.Banker.XIE trojan (ESET).
Explanation :
TrojanSpy:Win32/Banker.AEJ!cfg is a malicious JScript proxy auto-configuration file that may redirect the user's browser traffic through an attacker-controlled proxy server.
Top
TrojanSpy:Win32/Banker.AEJ!cfg is a malicious JScript proxy auto-configuration file that may redirect the user's browser traffic through an attacker-controlled proxy server.
Installation
TrojanSpy:Win32/Banker.AEJ!cfg may be set to run by another malware component, for example, TrojanSpy:Win32/Banker.AEJ.
It is set via the following registry entry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "AutoConfigURL"
With data: <TrojanSpy:Win32/Banker.AEJ!cfgURL>
Payload
Redirects browser traffic
TrojanSpy:Win32/Banker.AEJ!cfg redirects the browser traffic to the proxy server located in "188.138.51.156" if the user attempts to access any of the following URLs:
- bradesco.b.br
- bradesco.com
- bradesco.com.br
- hotmail.com
- itau.b.br
- itaupersonnalite.com.br
- live.com
- santander.b.br
- santander.com.br
- santander.com.br/pages/portal/home_pj.htm
- www.bradesco.b.br
- www.bradesco.com
- www.bradesco.com.br
- www.hotmail.com
- www.hotmail.com.br
- www.itau.b.br
- www.itau.com.br
- www.itaupersonnalite.com.br
- www.live.com
- www.santander.b.br
- www.santander.com.br
- www.santanderempresarial.com.br
- www.santanderempresarial.com.br/contingencia/pj/home_pj.htm
Analysis by Stefan Sellmer
Last update 10 March 2012
