Home / malware TrojanSpy:Win32/Bafi.Q
First posted on 28 February 2013.
Source: MicrosoftAliases :
TrojanSpy:Win32/Bafi.Q is also known as TrojanSpy.Banker!pOua17PZ7mI (VirusBuster), Trojan horse PSW.Banker6.UPI (AVG), TR/Spy.Gen (Avira), Win32/Spy.Banker.XSM trojan (ESET), Trojan-PWS.Banker6 (Ikarus), TROJ_SPNR.26DF12 (Trend Micro).
Explanation :
TrojanSpy:Win32/Banker.VCA is a member of Win32/Banker - a family of data-stealing trojans that captures online banking credentials, such as account login names and passwords, and relays the captured information to a remote attacker. TrojanSpy:Win32/Banker.VCA disguises itself as "Adobe PDF Reader Link Helper" and is registered on the computer as a Browser Helper Object (BHO) that intercepts browser communications.
Installation
TrojanSpy:Win32/Banker.VCA is installed in the computer as a BHO that loads every time you open a web browser.
It adds the following registry keys as part of its installation:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{975670D0-7EFB-4fa8-90FA-3AE575B9FB77}
Sets value: "(default)"
With the following data: "Adobe PDF Reader Link Helper"
In subkey: HKLM\Software\Classes\linkrdr.AIEbho
Sets value: "(default)"
With data: "Adobe PDF Reader Link Helper"
In subkey: HKLM\Software\Classes\CLSID\{975670D0-7EFB-4fa8-90FA-3AE575B9FB77}\InprocServer32
Sets value: "(default)"
With the following data: "<malware file>"
TrojanSpy:Win32/Banker.VCA creates the following mutex to ensure that only one instance of itself is running at any one time:
Adobe_PDF_Reader_Hlp_Mtx
Payload
Steals sensitive information
TrojanSpy:Win32/Banker.VCA logs user credentials for certain websites if they are accessed in the computer. It steals information by inserting IFrames into the monitored websites.
It steals information entered into websites whose names contain any of the following strings:
- aut
- bank
- bankofamerica
- comdirect
- deu
- fiducia.de
- hotmail
- live.com
- microsoft
- passport
- skype
- westpac
- yahoo.com
It also steals information entered into the following websites:
- .cajamadrid.es
- .credit-agricole.fr/g1/ssl/identification
- bancofarnet.bancofar.es
- caixanova.es/
- caixasabadell.net/banca
- caixatarragona.es/servlet/GatewayServlet
- credit-agricole.fr
- desk.net-temps.com/login.html
- ebanking.nationalirishbank.ie
- ebanking.northernbank.co.uk
- employer.dice.com/login_r.epl
- ing.ingdirect.es
- losangeles.jobing.com/recruiting
- netbank.danskebank.dk
- netbank.danskebank.dk/HB?
- oie.cajamadridempresas.es/CajaMadrid/oie/pt_oie/Login/login
- pccaja.lacajadecanarias.es
- seguro.cam.es/camd
- www.beyond.com/EMP/Login/Action/Login.asp
- www.caixacatalunya.com
- www.careercast.com/careers/user/setCredentials
- www.mitnykredit.dk
- www.personas.santanderrio.com.ar
- www.ulsterbankanytimebanking.ie
- www.washingtonpost.com/wl/jobs/EmployerUserServlet
It steals the following:
- Information about your computer
- Information about the browser that you are using
- Data stored in your clipboard
- Screenshots of your desktop and open windows
- User credentials, including user names and passwords, for the monitored websites
Logs keystrokes
TrojanSpy:Win32/Banker.VCA has been observed logging keystrokes and mouse clicks. It saves the information in a randomly-named file.
Removes security software
TrojanSpy:Win32/Banker.VCA looks for the file "rookscom.dll", which is a file associated with a third party security product. If found, it attempts to prevent the file from being loaded by the browser.
Analysis by Zarestel Ferrer
Last update 28 February 2013