F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Banker

[Summary] | [Detailed Description] | [Detection]



NAME:Banker
ALIAS:Trojan-Spy.Win32.Banker

Summary

Banker is a family of spying trojans that try to steal information that is required to access certain on-line banks' and on-line payment systems' websites. Banker trojans usually steal logins, passwords, PINs, check words and other info related to logging to bank websites.

The stolen information is usually uploaded to a hacker's website using a webform. The most vulnerable are users of on-line banks and payment systems that have logins and passwords that do not change every time a user logs on. That is why many banks are now switching to one-time passwords that expire after being used once.

VARIANT:Trojan-Spy.Win32.Banker.vt
ALIAS:PWSteal.Jginko
SIZE:65536

Detailed Description

Banker.vt is a spying trojan that targets Japanese banks. The trojan's file is a PE executable file 65536 bytes long, it is not packed by any file compressor (which is a rare thing nowdays - most of malware is packed).

When run, the trojan installs itself to system. It copies its file as SYSTEM.EXE to the root of C: drive and creates a startup key for that file in the Registry: 

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "system.exe" = "c:\system.exe"

This is done to run the trojan's file every time Windows starts.

The trojan also deletes the Zone.Identifier stream for its file. This trick is not commonly used in present day malware.

Being active, the trojan monitors the web browser activities and activates its spying component if any of these URLs are opened: 

 direct3.smbc.co.jp
 direct.smbc.co.jp
 www.japannetbank.co.jp
 fes.ebank.co.jp
 www-ihs.yu-cho.japanpost.jp
 www.ufjbank.co.jp
 sso.ufjbank.co.jp
 direct.btm.co.jp
 direct02.btm.co.jp
 web.ib.mizuhobank.co.jp
 web1.ib.mizuhobank.co.jp
 web2.ib.mizuhobank.co.jp
 web3.ib.mizuhobank.co.jp
 web4.ib.mizuhobank.co.jp
 web5.ib.mizuhobank.co.jp
 direct.resonabank.co.jp
 www.resonabank.anser.or.jp
 directa03.shinseibank.co.jp
 ib.iy-bank.co.jp
 www.shinkinbanking.com
 houjin.shinkinbanking.com
 www.shinkin-webfb-hokkaido.jp
 www.shinkin-webfb.jp
 www2.paweb.anser.or.jp
 www.caweb.anser.or.jp
 direct.hokugin.co.jp
 www.web-fb.com
 net.gunmabank.co.jp
 www.105bank.com
 okbnetplaza.com
 www.suitebank.finemax.net
 www2.ib-center.gr.jp
 www4.cyber-biz.ne.jp
 www4a.cyber-biz.ne.jp
 www7.cyber-biz.ne.jp
 www8b.cyber-biz.ne.jp
 www9a.cyber-biz.ne.jp
 www9b.cyber-biz.ne.jp
 www9c.cyber-biz.ne.jp
 www9d.cyber-biz.ne.jp
 www10a.cyber-biz.ne.jp
 www10b.cyber-biz.ne.jp
 www10c.cyber-biz.ne.jp
 www10d.cyber-biz.ne.jp
 www11a.cyber-biz.ne.jp
 www11b.cyber-biz.ne.jp
 www12a.cyber-biz.ne.jp
 www12b.cyber-biz.ne.jp
 www12c.cyber-biz.ne.jp
 www12d.cyber-biz.ne.jp
 www13a.cyber-biz.ne.jp
 www13c.cyber-biz.ne.jp
 www13d.cyber-biz.ne.jp
 www14a.cyber-biz.ne.jp

The spying component looks for data that is input by a user in the following fields: 

 BPW0010
 tb_conf
 PWD_PINNUMBER
 Anshu2
 KeiyakuNo
 logonPwd
 pw
 loginPwd
 passwd
 loginPassword
 PIN
 Password
 WGLI020
 S007
 Pwd1
 S023
 dat_0
 i_acFstCodenum
 i_acOneTime1
 BPW0020
 i_pwd
 LgnPwd
 fldUserNumId
 AG00010
 EWF_ENTRY_InputValiable1
 PWD_PASSWORD
 log_pass
 OLD_PASSWORD
 USER_PASSWORD
 LOGIN_PASSWORD
 passwordOLD
 recognitionPassword
 password
 CHK_PASSWORD
 PASSWD2_1
 PASSWORD
 FurikomiKin
 Ransu1
 Pw

The stolen data is uploaded using a webform to a hacker's website: 

 park23.wakwak.com

A hacker gets the stolen data and the URL of a webpage that the date was stolen from.

Back to the Top


Detection

Detection for Banker.vt spying trojan was published in the following F-Secure Anti-Virus updates:

[FSAV_Database_Version]

Version=2005-07-08_04

Back to the Top


Write-up and Technical Details: Alexey Podrezov, July 20th, 2005;

F-Secure Corporation