Home / malware Trojan.Spy.Banker.HQ
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Spy.Banker.HQ is also known as Trojan-Spy.Win32.Banker.hq, W32/Banker.UE, TSPY_BANKER.HQ, Troj/Banker-AT.
Explanation :
The virus checks on start if it is already registered for automatical startup. If not, then creates a copy of the trojan executable and places it under the windows directory with the name WinAdCnt16.exe and the size of 181760 bytes. After this the virus creates an entry for automatical startup under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWinAdCnt16.exe.
When running, the virus repetedly checks using DDE the presence of a running Internet Explorer or Netscape Navigator. If found, the virus checks for banking URLs and displays a fake web browser window trying to persuade the user to introduce confidential data.
The virus contains references to the following websites:
http://www.[removed].com.br/2/meubradnovo.htm http://www.[removed].com.br/5/meuitau.htm http://www.[removed].com.br/1/meubb.htm http://www.[removed].com.br/3/meucaixa.htm http://www.[removed].com.br/4/meugera.htmLast update 21 November 2011