Home / malware Infostealer.Bankeiya
First posted on 28 February 2014.
Source: SymantecAliases :
There are no other names known for Infostealer.Bankeiya.
Explanation :
When the Trojan is executed, it creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"IcpIpCfg" = "Rundll32 "%UserProfile%\Application Data\[RANDOM FILE NAME].dll" MainThread"
Next, the Trojan downloads configuration settings from the following URL:
http://profile.hatena.ne.jp/ml[RANDOM NUMBER]
It then saves the configuration settings to the following file before updating itself:
%UserProfile%\Application Data\ini.ini
The Trojan sends the operating system (OS) version installed on the compromised computer to the following location:
http://www.bttxs.com/getp.asp?MAC=&VER=[OS VERSION]
The Trojan then monitors Internet Explorer traffic for the following URLs associated with online banking sites:
https://direct.jp-bank.japanpost.jp/tp1web/U010101SCK.do?link_id=ycDctLgn https://web4.ib.mizuhobank.co.jp/servlet/mib?xtr=EmfLogOff&NLS=JP
If one of the above URLs are visited, the Trojan will display a fake login screen and record any entered credentials.
The Trojan then sends the stolen credentials to the remote attacker.Last update 28 February 2014
