Home / malware TrojanProxy:BAT/Banker.B
First posted on 23 May 2012.
Source: MicrosoftAliases :
There are no other names known for TrojanProxy:BAT/Banker.B.
Explanation :
TrojanProxy:BAT/Banker.B is a trojan that redirects access to certain banking and personal websites through a proxy server. This means that your sensitive information passes through an unauthorized server, which may capture it and use it for malicious purposes.
Installation
TrojanProxy:BAT/Banker.B is the detection for the following files:
- %Temp%\nova.bat - main payload file
- %Temp%\axupdatems.exe - batch file dropper
It creates the following registry entry to ensure that it runs every time Windows starts:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "ActiveX Update"
With data: "%Temp%\axupdatems.exe"
Payload
Redirects Internet traffic
TrojanProxy:BAT/Banker.B redirects Internet traffic through the server "server driver.linetimex.org" via port 80 if you access any of the following websites:
- americanexpress.com
- americanexpress.com.br
- bancobrasil.com.br
- bancodobrasil.com.br
- bancoreal.com.br
- banese.b.br
- bb.com
- bb.com.br
- bradesco.com
- bradesco.com.br
- bradescoprime.com.br
- cetelem.com.br
- citibank.com.br
- credicard.com.br
- gmail.com
- gmail.com.br
- hotmail.com
- hotmail.com.br
- hsbc.com.br
- itau.com.br
- itaupersonnalite.com.br
- itauprivatebank.com.br
- itauuniclass.com
- itauuniclass.com.br
- paypal.com
- paypal.com.br
- real.com.br
- santander.com.br
- santanderbanespa.com.br
- santanderempresarial.com.br
- serasa.com.br
- serasaexperoan.com.br
- sicredcred.com.br
- tam.com.br
It also tries to connect to the website "sivellongrupp.ee" to download a new configuration file containing other proxy server URLs and ports.
Analysis by Hong Jia
Last update 23 May 2012
