Home / malwarePDF  

TrojanSpy:Win32/Banker.ABG


First posted on 08 November 2011.
Source: SecurityHome

Aliases :

TrojanSpy:Win32/Banker.ABG is also known as Trojan.PWS.Banker!CBrrVopzxqM (VirusBuster), Trojan.PWS.Banker.60406 (Dr.Web), Win32/Spy.Delf.OWL trojan (ESET), Trojan-Banker.Win32.Banker.skjd (Kaspersky), Generic PWS.y!dmm (McAfee), TSPY_DELF.VTG (Trend Micro).

Explanation :

TrojanSpy:Win32/Banker.ABG is a trojan that downloads other files and has the ability to steal sensitive information, such as usernames and passwords, when the user accesses certain online banking websites.


Top

TrojanSpy:Win32/Banker.ABG is a trojan that downloads other files and has the ability to steal sensitive information, such as usernames and passwords, when the user accesses certain online banking websites.



Installation

When executed, TrojanSpy:Win32/Banker.ABG creates the following registry entry so that it executes every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Update"
With data: "<malware path and file name>"

TrojanSpy:Win32/Banker.ABG downloads a TXT file(usually "pid.txt"). This TXT file contains encrypted URLs where other files are to be downloaded.

In the wild, the TXT file has been known to be available for download from the following servers:

  • 184.173.118.50
  • 50.23.205.178


One of the files that this malware downloads is a DLL file, which is also detected as TrojanSpy:Win32/Banker.ABG.

This downloaded DLL component is usually dropped in the Windows System folder as any of the following file names, and then registered as a Browser Helper Object (BHO).

  • rEvents.dll
  • windowsinstaller.dll


Payload

Deletes files

TrojanSpy:Win32/Banker.ABG deletes the following files if they are found in the infected system. The file paths are hardcoded in the malware body.

  • C:\Arquivos de Programas\mozilla firefox\firefox.exe
  • C:\Arquivos de Programas\opera\opera.exe
  • %USER%\Configurações locais\Dados de aplicativos\Google\Chrome\Application\Chrome.exe


Steals information

The DLL component monitors Internet Explorer to check if any of the following websites are accessed; these websites are associated with users in Brazil:

  • BancoItaú-http://www.itau.com.br
  • BancoVotorantim-http://www.bancovotorantim.com.br
  • Banese-http://www.banese.com.br
  • Banrisul-http://www.banrisul.com.br
  • Bradesco-http://www.bradesco.com.br
  • Caixa-http://www.caixa.gov.br
  • Cetip-http://www.cetip.com.br
  • HSBC-http://www.hsbc.com.br
  • Orkut-http://www.orkut.com.br
  • Santander-http://www.santander.com.br
  • Sicredi-http://www.sicredi.com.br


This malware steals sensitive information, such as usernames and passwords, by creating a fake window on top of Internet Explorer when the login page of any of the previously mentioned websites is accessed.

The fake windows may appear similar to the following:

For Banese:



For Bradesco:



For Caixa:



For Cetip:



For HSBC:



For Itau:



For Satander:



The stolen information is then sent back to a remote server.

Sends spam messages

TrojanSpy:Win32/Banker.ABG also attempts to send spam messages to all of the user's Google Mail and Windows Live contacts.



Analysis by Ric Robielos

Last update 08 November 2011

 

TOP

Malware :

Family: