Home / malware TrojanSpy:Win32/Banker.YL
First posted on 06 September 2011.
Source: SecurityHomeAliases :
TrojanSpy:Win32/Banker.YL is also known as Win32/Spy.Delf.OVZ trojan (ESET), Trojan.Win32.Scar (Ikarus), Trojan.Win32.Scar.ecyn (Kaspersky).
Explanation :
TrojanSpy:Win32/Banker.YL is a trojan that steals user credentials when the user visits certain websites. It then sends the stolen credentials to a remote attacker via an online form.
Top
TrojanSpy:Win32/Banker.YL is a trojan that steals user credentials when the user visits certain websites. It then sends the stolen credentials to a remote attacker via an online form.
Installation
When executed, TrojanSpy:Win32/Banker.YL drops a copy of itself as the following:
- %USERPROFILE%\aviraautoloader.exe
It also creates a mutex named "LoginMailEXX0089".
TrojanSpy:Win32/Banker.YL also creates the following registry entry so that it automatically runs every time Windows starts:
In subkey:HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Avira_Loader"
With data: "%USERPROFILE%\aviraautoloader.exe"
Payload
Steals user credentials
TrojanSpy:Win32/Banker.YL monitors open Internet Explorer and Firefox windows for window titles containing the following strings:
- Blogger.com
- Brasil's Ministry of Justice - SENASP
- checkcheck.com
- Equifax
- globo.com
- hotmail
- ig.com.br
- Serasaexperian.com.br
- terra.com.br
- UOL.com
If found, it attempts to log the credentials typed by the user. It then attempts to send these login details via an online form located on the server "brasilinstrumental.com.br".
The online form may be sent to any of the following email addresses:
- ner<removed>2011@gmail.com
- esedsons<removed>@gmail.com
- taty<removed>ocinha@gmail.com
Analysis by Andrei Florin Saygo
Last update 06 September 2011
