Home / malware Trojan.Banker.LCG
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Banker.LCG is also known as Trojan-Spy.Win32.Goldun.axt, Trojan.Goldun, Win32/Spy.Goldun.NDJ, Trojan:Win32/Agent.PX.
Explanation :
When present on the affected computer and executed, it drops 2 files :
%system32%cabpck.dll %system32%krnlcab.sys After that, it runs cabpck.dll and deletes the file initialy executed, which is packed with a custom packer posing as UPX.
"krnlcab.sys" driver runs as a service and has a protective role for the other malware components, hiding its files and registry keys.
It runs as a service by creating this registry key :
* HKEY_LOCAL_MACHINESYSTEMControlSet001Serviceskrnlcab
* HKEY_LOCAL_MACHINESYSTEMControlSet001ServiceskrnlcabDisplayName [data: Cabinet Kernel Packer]
* HKEY_LOCAL_MACHINESYSTEMControlSet001ServiceskrnlcabErrorControl [data: dword:00000000]
* HKEY_LOCAL_MACHINESYSTEMControlSet001ServiceskrnlcabImagePath [data: system32krnlcab.sys.)]
* HKEY_LOCAL_MACHINESYSTEMControlSet001ServiceskrnlcabStart [data: dword:00000001]
* HKEY_LOCAL_MACHINESYSTEMControlSet001ServiceskrnlcabType [data: dword:00000001]
* HKEY_LOCAL_MACHINESYSTEMControlSet001ServiceskrnlcabSecurity(Default) [data: (value not set)]
* HKEY_LOCAL_MACHINESYSTEMControlSet001ServiceskrnlcabSecuritySecurity [data: %hex numbers%]
It also creates these keys so the driver starts in safe mode.
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalkrnlcab.sys (Default) Driver
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkkrnlcab.sys (Default) Driver
The dynamic-link library (cabpck.dll) is ran at startup by creating these keys:
* HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifycabpck
* HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifycabpck Asynchronous dword:00000001
* HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifycabpck DllName hex(2):%hex numbers% (cabpck.dll)
* HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifycabpck Impersonate dword:00000001
* HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifycabpck MaxWait dword:00000001
* HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifycabpck Startup cabpck
* HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifycabpck a950 [712AEDAB17C74BC73]
It adds an exception to the firewall by creating this value %system32%
undll32.exe in the following key: "HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList" . This is done in order for the dll to be executed trough legitimate rundll.exe without any pop-ups from the firewall.
It tries to steal passwords by accessing the following registry keys SOFTWAREMicrosoftInternet Account ManagerAccounts, HKEY_CURRENT_USERSoftwareRITThe Bat! which holds encrypted private data of the user.
Usually, it has a "command center" of the following form: http://[malware_website].(biz|ru). The website might be different, but the actions are similar.
The communication with the server is done trough a script on the website. It can run multiple jobs for an infected system. It can download and execute a file (example a XP Antivirus rogue clone), update windows host file ( %system32%driversetchosts ) and other administrative commands for the malware on the infected computer.Last update 21 November 2011