Home / malware TrojanProxy:Win32/Banker.O
First posted on 19 May 2012.
Source: MicrosoftAliases :
TrojanProxy:Win32/Banker.O is also known as TR/Proxy.Banker.O (Avira), Trojan.PWS.Banker1.1298 (Dr.Web), BAT/Spy.Banker.W trojan (ESET), Trojan-Banker.BAT.Banker.v (Kaspersky), PWS-Banker!hcw (McAfee).
Explanation :
TrojanProxy:Win32/Banker.O is a trojan that downloads a malicious JScript file. The downloaded file, detected as TrojanProxy:JS/Banker.N, redirects your browser traffic through an attacker-controlled proxy server.
Installation
When run, it drops and runs a batch file, also detected as TrojanProxy:Win32/Banker.O, as the following:
%Temp%\7.tmp\systemno.bat
Payload
Downloads other malware
When the batch file "systemno.bat" is run, it tries to connect to the IP address "176.31.254.55" to download a malicious JScript proxy configuration file as "%Temp%\avm9.txt". This configuration file is detected as TrojanProxy:JS/Banker.N.
Sets a proxy server for Internet connections
TrojanProxy:Win32/Banker.O sets a proxy server for Internet connections to the server indicated in "%Temp%\avm9.txt" by running the following command:
reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "AutoConfigUrl" /d
"file://%Temp%/AVM9.txt" /f
Setting a proxy server for all Internet connections means that all your Internet traffic goes through the server, which may be controlled by an attacker.
Analysis by Wei Li
Last update 19 May 2012
