Home / malware Trojan-Spy:W32/Banker.GMH
First posted on 07 December 2007.
Source: SecurityHomeAliases :
Trojan-Spy:W32/Banker.GMH is also known as Trojan-Spy.Win32.Banker.gmh.
Explanation :
This Trojan steals banking information and has the capability to update itself.
- %windir%sflash.dll - detected as Trojan-Spy.Win32.Banker.gmh
Note: %windir% is by default, C:Windows.
It checks to see if iexplore.exe is running. If it isn't, it will run IE in the background and will inject the dropped DLL file as a Browser Helper Object.
It creates these auto-start registry keys:
- HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Shockwave Flash = Rundll32.exe sflash.dll,Init
- HKLMSoftwareClassesCLSID{32C18258-23D0-41b0-A87D-2672ABFB5366}
- HKLMSoftwareClassesCLSID{32C18258-23D0-41b0-A87D-2672ABFB5366}InprocServer32
- HKLMSoftwareMicrosoftWindowsCurrentVersionExplorer
Browser Helper Objects{32C18258-23D0-41b0-A87D-2672ABFB5366}
It downloads the following file:
- http://69.6.202.56/.fp/[REMOVED].exe
- Trojan-Spy:W32/Banker.HYN
It saves the file as %temp%aol92.exe and executes it.
Note: %temp% is normally C:Documents and Settings\Local SettingsTemp.
This malware monitors the URLs visited by the user. If the visited URL has the following banking-related strings, it will start collecting information:
- .ub-businessonline.
- ach-cdc1.theonenet.com
- amegytreasurymanagement.com
- banking.calbanktrust.com
- banking.commercebank.com
- bankofinternet.com
- business.ml.com
- businesse-cashmanager
- businessonline.blilk.com
- cashproweb
- ceowt.wellsfargo.com
- commercetreasurydirect.com
- commercial.wachovia.com
- communityresourcebank.com
- direct.bankofamerica.com
- ebanking-services.com
- ecash.fsbnm.com/cashman/
- enterprise2.openbank.com
- firstmutualonline.com
- itreasury.amsouth.com
- myib.firstmerchants.com
- nationalcity.com/corporate
- nationalcity.com/dashboard
- onlinencr.com/online/cbandt/business
- onlinetreasurymanager.
- secure.republicfederal.com
- server52.cey-ebanking.com
- sterlingonline.banksterling.com
- sterlingonline.banksterling.com
- svbconnect
- treasury.pncbank
- wainwrightbank.com/html/business
- wc.wachovia.com/
- wcm71.webcashmgmt.com
- wcma.businesscenter
- webbankingforbusiness
- webcashmanager.com
- webcashmgmt.com
- wellsoffice.wellsfargo.com
- wires.theonenet.com
- ws.ecorphost.net
- www.directline4biz.com
- www.enternetbank.com/ewb/
Stolen information will then be sent to the following link using http POST command:
- http://203.121.69.232/OOO6/[REMOVED].php
Last update 07 December 2007