Home / malware TrojanSpy:Win32/Banker.AMH
First posted on 19 February 2014.
Source: MicrosoftAliases :
There are no other names known for TrojanSpy:Win32/Banker.AMH.
Explanation :
Threat behavior
Installation
TrojanSpy:Win32/Banker.AMH copies itself to c:\documents and settings\administrator\application data\bic_rulsw.exe. The malware changes the following registry entries so that it runs each time you start your PC:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Plugin Bic"
With data: "c:\documents and settings\administrator\application data\bic_rulsw.exe"
Payload
Contacts remote host
TrojanSpy:Win32/Banker.AMH might contact a remote host at smtps.bol.com.br using port 587. Commonly, malware does this to:
- Report a new infection to its author
- Receive configuration or other data
- Download and run files, including updates or other malware
- Receive instructions from a remote hacker
- Upload data taken from your PC
This malware description was produced and published using automated analysis of file SHA1 a76771a59ef16d0fa4c1f984eb86d1ca610d361a.Symptoms
System changes
The following could indicate that you have this threat on your PC:
- You have these files:
c:\documents and settings\administrator\application data\bic_rulsw.exe
- You see these entries or keys in your registry:
Sets value: "Windows Plugin Bic"
With data: "c:\documents and settings\administrator\application data\bic_rulsw.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunLast update 19 February 2014
