Home / malware TrojanDropper:Win32/Banker.J
First posted on 18 May 2012.
Source: MicrosoftAliases :
TrojanDropper:Win32/Banker.J is also known as Trojan.Banker!Qc6E0s1OqHA (VirusBuster), Proxy.dropper (AVG), DR/Banker.AK (Avira), Generic.Banker.OT.5C6A27FD (BitDefender), Trojan.PWS.Banker1.1298 (Dr.Web), BAT/Spy.Banker.W trojan (ESET), Trojan-Banker.BAT.Banker.v (Kaspersky), PWS-Banker!hcq (McAfee), Infostealer.Bancos (Symantec), TROJ_BANKER.JDR (Trend Micro).
Explanation :
TrojanDropper:Win32/Banker.J is a trojan that drops a malicious JScript file, detected as TrojanProxy:JS/Banker.N, that may redirect your browser traffic through an attacker-controlled proxy server.
Installation
When executed, it drops and runs the following file, which is also detected as TrojanDropper:Win32/Banker.J:
%Temp%\7.tmp\devilNormal.bat
Payload
Downloads and runs files
When the file "devilnormal.bat" is run, it attempts to connect to the server "sivellongrupp.ee" via TCP port 80 to download a malicious JScript proxy configuration file detected as TrojanProxy:JS/Banker.N.
Modifies Internet settings
TrojanDropper:Win32/Banker.J modifies certain Internet settings by running commands against the system registry. It changes the following settings:
- Sets the configuration file for Internet Explorer to "%Temp%/AVM5.txt", a text file that may be detected as TrojanProxy:JS/Banker.N
- Enables HTTP 1.1
- Disables the proxy server set in the registry
- Disables the Use HTTP 1.1 through proxy connections setting in Internet Explorer
- Prevents the Advanced tab from displaying in the Control Panel > Internet Options > Internet Properties dialog box
- Resets Internet Explorer settings
- Disables the Automatically Detect Settings check box
Analysis by Wei Li
Last update 18 May 2012
