|
|
|  |
|
|
|
|
F-Secure Malware Information Pages: Trojan-Spy:W32/Banker.GMH

|
|
|
| Radar |
 |
|
|
|
Summary
|
| This Trojan steals banking information and has the capability to update itself. |
|
|
|
Detailed Description
|
Upon execution, this malware drops the following file:
- %windir%\sflash.dll - detected as Trojan-Spy.Win32.Banker.gmh
Note: %windir% is by default, C:\Windows.
It checks to see if iexplore.exe is running. If it isn't, it will run IE in the background and will inject the dropped DLL file as a Browser Helper Object.
It creates these auto-start registry keys:
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Shockwave Flash = Rundll32.exe sflash.dll,Init
- HKLM\Software\Classes\CLSID\{32C18258-23D0-41b0-A87D-2672ABFB5366}
- HKLM\Software\Classes\CLSID\{32C18258-23D0-41b0-A87D-2672ABFB5366}\InprocServer32
- HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer
\Browser Helper Objects\{32C18258-23D0-41b0-A87D-2672ABFB5366}
It downloads the following file:
- http://69.6.202.56/.fp/[REMOVED].exe
- Trojan-Spy:W32/Banker.HYN It saves the file as %temp%\aol92.exe and executes it. Note: %temp% is normally C:\Documents and Settings\\Local Settings\Temp.
This malware monitors the URLs visited by the user. If the visited URL has the following banking-related strings, it will start collecting information:
- .ub-businessonline.
- ach-cdc1.theonenet.com
- amegytreasurymanagement.com
- banking.calbanktrust.com
- banking.commercebank.com
- bankofinternet.com
- business.ml.com
- businesse-cashmanager
- businessonline.blilk.com
- cashproweb
- ceowt.wellsfargo.com
- commercetreasurydirect.com
- commercial.wachovia.com
- communityresourcebank.com
- direct.bankofamerica.com
- ebanking-services.com
- ecash.fsbnm.com/cashman/
- enterprise2.openbank.com
- firstmutualonline.com
- itreasury.amsouth.com
- myib.firstmerchants.com
- nationalcity.com/corporate
- nationalcity.com/dashboard
- onlinencr.com/online/cbandt/business
- onlinetreasurymanager.
- secure.republicfederal.com
- server52.cey-ebanking.com
- sterlingonline.banksterling.com
- sterlingonline.banksterling.com
- svbconnect
- treasury.pncbank
- wainwrightbank.com/html/business
- wc.wachovia.com/
- wcm71.webcashmgmt.com
- wcma.businesscenter
- webbankingforbusiness
- webcashmanager.com
- webcashmgmt.com
- wellsoffice.wellsfargo.com
- wires.theonenet.com
- ws.ecorphost.net
- www.directline4biz.com
- www.enternetbank.com/ewb/
Stolen information will then be sent to the following link using http POST command:
- http://203.121.69.232/OOO6/[REMOVED].php
|
|
|
|
F-Secure Corporation |
|
|
|
|
|
Last Modified: December 05, 2007
|
|
|
|
|