Home / malwarePDF  

TrojanSpy:Win32/Bafi.Q


First posted on 28 February 2013.
Source: Microsoft

Aliases :

TrojanSpy:Win32/Bafi.Q is also known as TrojanSpy.Banker!pOua17PZ7mI (VirusBuster), Trojan horse PSW.Banker6.UPI (AVG), TR/Spy.Gen (Avira), Win32/Spy.Banker.XSM trojan (ESET), Trojan-PWS.Banker6 (Ikarus), TROJ_SPNR.26DF12 (Trend Micro).

Explanation :



TrojanSpy:Win32/Banker.VCA is a member of Win32/Banker - a family of data-stealing trojans that captures online banking credentials, such as account login names and passwords, and relays the captured information to a remote attacker. TrojanSpy:Win32/Banker.VCA disguises itself as "Adobe PDF Reader Link Helper" and is registered on the computer as a Browser Helper Object (BHO) that intercepts browser communications.



Installation

TrojanSpy:Win32/Banker.VCA is installed in the computer as a BHO that loads every time you open a web browser.

It adds the following registry keys as part of its installation:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{975670D0-7EFB-4fa8-90FA-3AE575B9FB77}
Sets value: "(default)"
With the following data: "Adobe PDF Reader Link Helper"

In subkey: HKLM\Software\Classes\linkrdr.AIEbho
Sets value: "(default)"
With data: "Adobe PDF Reader Link Helper"

In subkey: HKLM\Software\Classes\CLSID\{975670D0-7EFB-4fa8-90FA-3AE575B9FB77}\InprocServer32
Sets value: "(default)"
With the following data: "<malware file>"

TrojanSpy:Win32/Banker.VCA creates the following mutex to ensure that only one instance of itself is running at any one time:

Adobe_PDF_Reader_Hlp_Mtx



Payload

Steals sensitive information

TrojanSpy:Win32/Banker.VCA logs user credentials for certain websites if they are accessed in the computer. It steals information by inserting IFrames into the monitored websites.

It steals information entered into websites whose names contain any of the following strings:

  • aut
  • bank
  • bankofamerica
  • comdirect
  • deu
  • facebook
  • fiducia.de
  • google
  • hotmail
  • live.com
  • microsoft
  • passport
  • skype
  • westpac
  • yahoo.com


It also steals information entered into the following websites:

  • .cajamadrid.es
  • .credit-agricole.fr/g1/ssl/identification
  • bancofarnet.bancofar.es
  • caixanova.es/
  • caixasabadell.net/banca
  • caixatarragona.es/servlet/GatewayServlet
  • credit-agricole.fr
  • desk.net-temps.com/login.html
  • ebanking.nationalirishbank.ie
  • ebanking.northernbank.co.uk
  • employer.dice.com/login_r.epl
  • ing.ingdirect.es
  • losangeles.jobing.com/recruiting
  • netbank.danskebank.dk
  • netbank.danskebank.dk/HB?
  • oie.cajamadridempresas.es/CajaMadrid/oie/pt_oie/Login/login
  • pccaja.lacajadecanarias.es
  • seguro.cam.es/camd
  • www.beyond.com/EMP/Login/Action/Login.asp
  • www.caixacatalunya.com
  • www.careercast.com/careers/user/setCredentials
  • www.mitnykredit.dk
  • www.personas.santanderrio.com.ar
  • www.ulsterbankanytimebanking.ie
  • www.washingtonpost.com/wl/jobs/EmployerUserServlet


It steals the following:

  • Information about your computer
  • Information about the browser that you are using
  • Data stored in your clipboard
  • Screenshots of your desktop and open windows
  • User credentials, including user names and passwords, for the monitored websites


Logs keystrokes

TrojanSpy:Win32/Banker.VCA has been observed logging keystrokes and mouse clicks. It saves the information in a randomly-named file.

Removes security software

TrojanSpy:Win32/Banker.VCA looks for the file "rookscom.dll", which is a file associated with a third party security product. If found, it attempts to prevent the file from being loaded by the browser.



Analysis by Zarestel Ferrer

Last update 28 February 2013

 

TOP