Home / malwarePDF  

TrojanSpy:Win32/Banker.AJC


First posted on 12 September 2012.
Source: Microsoft

Aliases :

TrojanSpy:Win32/Banker.AJC is also known as TR/PSW.FakeMSN.R.1 (Avira), Trojan-PWS.Win32.FakeMSN (Ikarus).

Explanation :



TrojanSpy:Win32/Banker.AJC is a data-stealing trojan that is a DLL component of the Win32/Banker family.

These data-stealing trojans capture online banking credentials, such as account login names and passwords, and relay the captured information to a remote attacker. Most Win32/Banker variants target customers of Brazilian banks.

If your computer is detected with this threat, then it is likely that you have also been infected by other variants of the Win32/Banker or Win32/Banload families.

Please see the individual variant entries in the encyclopedia for additional recovery information.



Installation

TrojanSpy:Win32/Banker.AJC is downloaded onto your computer by other malware, often by variants of the Win32/Banload family.

The trojan is usually installed in the following location with the file name "netsecurity.cpl":

%APPDATA%\Microsoft\Windows\

Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista and 7, the default location is "C:\Users\<user>\AppData\Roaming".

To ensure it runs each time you log on to Windows, the trojan is also installed to the <startup folder>.

Note: <startup folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Startup folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Start Menu\Programs\Startup". For Windows Vista and 7, the default location is "C:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup".

The trojan is installed onto your computer along with other files. These files may be configuration files or other variants of the Win32/Banker or Win32/Banload families.

If TrojanSpy:Win32/Banker.AJC finds these configuration files on your computer, it will read and decrypt them. Once decrypted, these other files may also be detected as additional malware.

During analysis we were unable to determine which malware these files may be detected as. For a list of the files, please see the Additional information section in this entry.



Payload

Steals sensitive information

TrojanSpy:Win32/Banker.AJC may also log keystrokes that it sends to a remote server.

At the time of analysis we were unable to determine the address of this server.

Injects code

When run, TrojanSpy:Win32/Banker.AJC loads other component DLL files, if it finds them on your computer, and injects the code from these other DLL files into system processes such as "svchost.exe" and "explorer.exe", possibly in an effort to hinder detection and removal.

Additional information

TrojanSpy:Win32/Banker.AJC may be installed on your computer along with other component files of the Win32/Banker or Win32/Banload families, including:

  • %APPDATA%\drivers\ablxm.dll
  • %APPDATA%\drivers\rtl2108.rtl
  • %APPDATA%\drivers\rtl256.vxd
  • %APPDATA%\drivers\rtl3264.vxd
  • %APPDATA%\drivers\rtl6432.vxd
  • %APPDATA%\drivers\rtl745G.vxd
  • %APPDATA%\drivers\rtl8192.vxd
  • %APPDATA%\drivers\rtl8194.vxd
  • %APPDATA%\drivers\rtl856l.vxd
  • %APPDATA%\drivers\rtl8704.vxd
  • %APPDATA%\drivers\rtl9976.vxd
  • %APPDATA%\Microsoft\Windows\kb8532.scr
Related encyclopedia entries

Win32/Banker

Win32/Banload



Analysis by Elda Dimakiling

Last update 12 September 2012

 

TOP