F-Secure
Tools
Trojan-Spy:W32/Banker.GMH
| Name : | Trojan-Spy:W32/Banker.GMH |
| Category: | Malware |
| Type: | Trojan-Spy |
| Platform: | W32 |
Summary
This Trojan steals banking information and has the capability to update itself.
Additional Details
Upon execution, this malware drops the following file:
Note: %windir% is by default, C:\Windows.
It checks to see if iexplore.exe is running. If it isn't, it will run IE in the background and will inject the dropped DLL file as a Browser Helper Object.
It creates these auto-start registry keys:
It downloads the following file:
It saves the file as %temp%\aol92.exe and executes it.
Note: %temp% is normally C:\Documents and Settings\\Local Settings\Temp.
This malware monitors the URLs visited by the user. If the visited URL has the following banking-related strings, it will start collecting information:
Stolen information will then be sent to the following link using http POST command:
• %windir%\sflash.dll - detected as Trojan-Spy.Win32.Banker.gmh
Note: %windir% is by default, C:\Windows.
It checks to see if iexplore.exe is running. If it isn't, it will run IE in the background and will inject the dropped DLL file as a Browser Helper Object.
It creates these auto-start registry keys:
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Shockwave Flash = Rundll32.exe sflash.dll,Init
Shockwave Flash = Rundll32.exe sflash.dll,Init
• HKLM\Software\Classes\CLSID\{32C18258-23D0-41b0-A87D-2672ABFB5366}
• HKLM\Software\Classes\CLSID\{32C18258-23D0-41b0-A87D-2672ABFB5366}\InprocServer32
• HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer
\Browser Helper Objects\{32C18258-23D0-41b0-A87D-2672ABFB5366}
\Browser Helper Objects\{32C18258-23D0-41b0-A87D-2672ABFB5366}
It downloads the following file:
• http://69.6.202.56/.fp/[REMOVED].exe
- Trojan-Spy:W32/Banker.HYN
- Trojan-Spy:W32/Banker.HYN
It saves the file as %temp%\aol92.exe and executes it.
Note: %temp% is normally C:\Documents and Settings\\Local Settings\Temp.
This malware monitors the URLs visited by the user. If the visited URL has the following banking-related strings, it will start collecting information:
• .ub-businessonline.
• ach-cdc1.theonenet.com
• amegytreasurymanagement.com
• banking.calbanktrust.com
• banking.commercebank.com
• bankofinternet.com
• business.ml.com
• businesse-cashmanager
• businessonline.blilk.com
• cashproweb
• ceowt.wellsfargo.com
• commercetreasurydirect.com
• commercial.wachovia.com
• communityresourcebank.com
• direct.bankofamerica.com
• ebanking-services.com
• ecash.fsbnm.com/cashman/
• enterprise2.openbank.com
• firstmutualonline.com
• itreasury.amsouth.com
• myib.firstmerchants.com
• nationalcity.com/corporate
• nationalcity.com/dashboard
• onlinencr.com/online/cbandt/business
• onlinetreasurymanager.
• secure.republicfederal.com
• server52.cey-ebanking.com
• sterlingonline.banksterling.com
• sterlingonline.banksterling.com
• svbconnect
• treasury.pncbank
• wainwrightbank.com/html/business
• wc.wachovia.com/
• wcm71.webcashmgmt.com
• wcma.businesscenter
• webbankingforbusiness
• webcashmanager.com
• webcashmgmt.com
• wellsoffice.wellsfargo.com
• wires.theonenet.com
• ws.ecorphost.net
• www.directline4biz.com
• www.enternetbank.com/ewb/
Stolen information will then be sent to the following link using http POST command:
• http://203.121.69.232/OOO6/[REMOVED].php