Home / malwarePDF  

TrojanSpy:Win32/Banker.AMP


First posted on 22 May 2014.
Source: Microsoft

Aliases :

There are no other names known for TrojanSpy:Win32/Banker.AMP.

Explanation :

Threat behavior

Installation

TrojanSpy:Win32/Banker.AMP creates the following files on your PC:

  • %windir% \assembly\nativeimages_v2.0.50727_32\temp\zap10.tmp\system.directoryservices.accountmanagement.dll
  • %windir% \assembly\nativeimages_v2.0.50727_32\temp\zape.tmp\system.data.services.client.dll
  • %windir% \assembly\nativeimages_v2.0.50727_32\temp\zapf.tmp\system.data.services.design.dll
  • \gmserv32.dll
  • \kb32097.bat
  • c:\documents and settings\administrator\application data\aa.exe - detected as TrojanSpy:Win32/Banker.AMP
  • c:\documents and settings\administrator\local settings\temp\adapter1.log
  • c:\documents and settings\administrator\local settings\temp\temp\dd.exe - detected as TrojanSpy:Win32/Banker.AMP
  • c:\documents and settings\administrator\local settings\temp\temp\server.exe
The malware modifies the following registry entry so that c:\documents and settings\administrator\application data\aa.exe it runs each time you start your PC:

Sets value: "banker"
With data: "c:\documents and settings\administrator\application data\aa.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Payload

Contacts remote host

TrojanSpy:Win32/Banker.AMP might contact a remote host at vip1.zyns.com using port 8080. Commonly, malware does this to:
  • Report a new infection to its author
  • Receive configuration or other data
  • Download and run files, including updates or other malware
  • Receive instructions from a remote hacker
  • Upload data taken from your PC
This malware description was produced and published using automated analysis of file SHA1 319330c60d4d3b5ad00ea4c2e6ec828350d50afa.Symptoms

System changes

The following could indicate that you have this threat on your PC:

  • You have these files:

    %windir%\assembly\nativeimages_v2.0.50727_32\temp\zap10.tmp\system.directoryservices.accountmanagement.dll
    %windir%\assembly\nativeimages_v2.0.50727_32\temp\zape.tmp\system.data.services.client.dll
    %windir%\assembly\nativeimages_v2.0.50727_32\temp\zapf.tmp\system.data.services.design.dll
    \gmserv32.dll
    \kb32097.bat
    c:\documents and settings\administrator\application data\aa.exe
    c:\documents and settings\administrator\local settings\temp\adapter1.log
    c:\documents and settings\administrator\local settings\temp\temp\dd.exe
    c:\documents and settings\administrator\local settings\temp\temp\server.exe
  • You see these entries or keys in your registry:

    Sets value: "banker"
    With data: "c:\documents and settings\administrator\application data\aa.exe"
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Last update 22 May 2014

 

TOP

Malware :

Family: