Home / malwarePDF  

PWS:Win32/Banker.O


First posted on 29 February 2012.
Source: Microsoft

Aliases :

PWS:Win32/Banker.O is also known as Trojan/Win32.Banker (AhnLab), W32/Savnut.A.gen!Eldorado (Command), W32/Banker.FODC (Norman), Trojan horse PSW.Banker6.DRS (AVG), Trojan.PWS.Banker.59271 (Dr.Web), Trojan-Banker.Win32.Agent (Ikarus), Trojan-Banker.Win32.Agent.ejd (Kaspersky), PWS-Banker!gyr (McAfee), Troj/Spy-XS (Sophos), Trojan.ADH (Symantec), TROJ_SAVNUT.SMC (Trend Micro).

Explanation :

PWS:Win32/Banker.O is a trojan that may steal banking credentials, such as account numbers and passwords, from the affected computer.


Top

PWS:Win32/Banker.O is a trojan that may steal banking credentials, such as account numbers and passwords, from the affected computer.



Installation

PWS:Win32/Banker.O drops a copy of itself as the following file:

<system folder>\appconf32.exe

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the system folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

It modifies the following registry to ensure that its copy runs at every Windows start:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "<original data>,<system folder>\appconf32.exe"

where <original data> is the data before the malware changed it. For example, the default <original data> in Windows systems is "<system folder>\userinit.exe", which, on an affected computer, becomes:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "<system folder>\userinit.exe,<system folder>\appconf32.exe"

It may also create the following registry entries as part of its installation routine:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet
Sets value: "del"
With data: "<system folder>\appconf32.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\prh
Sets value: "prh"
With any of the following data:
"http://qgin<removed>ulmala.com "
"http://yyyf<removed>robots.com "
"http://qqse<removed>tehedel.com"

PWS:Win32/Banker.O also creates the following mutexes:

  • MainProcess
  • UpdateAppConf32


It may terminate itself if any of the following security-related processes are running:

  • K7Sysmon.exe
  • Mcvsshld.exe


Payload

Injects malicious code

PWS:Win32/Banker.O injects malicious code into all running processes, except for the following:

  • csrss.exe
  • iexplore.exe
  • lsass.exe
  • services.exe
  • smss.exe
  • srss.exe
  • system
  • winlogon.exe


Steals information

PWS:Win32/Banker.O steals the following information:

  • Bank-related cookies
  • Mozilla Firefox account informaiton
  • Passwords for bank-related applications


It stores the stolen data in files in the following folders:

  • <system folder>\cock\
  • <system folder>\xmldm\


Terminates processes

PWS:Win32/Banker.O terminates the following processes, if they are currently running:

  • chrome.exe
  • firefox.exe
  • java.exe
  • msimn.exe
  • opera.exe
  • outlook.exe
  • reader_sl.exe
  • skype.exe
  • winMail.exe




Analysis by Patrick Estavillo

Last update 29 February 2012

 

TOP

Malware :

Family: