Select local site

| Japanese | Simplified Chinese | Traditional Chinese (Hong Kong) | Traditional Chinese (Taiwan)

F-Secure Malware Information Pages: Trojan-Spy:W32/Banker.GMH
[Summary] | [Detailed Description]

Name : Trojan-Spy:W32/Banker.GMH
Alias:Trojan-Spy.Win32.Banker.gmh
Type:Trojan-Spy
Category:Malware
Platform:W32
Radar

Summary
This Trojan steals banking information and has the capability to update itself.
Back to the Top

Detailed Description
Upon execution, this malware drops the following file:

  • %windir%\sflash.dll - detected as Trojan-Spy.Win32.Banker.gmh

Note: %windir% is by default, C:\Windows.

It checks to see if iexplore.exe is running. If it isn't, it will run IE in the background and will inject the dropped DLL file as a Browser Helper Object.

It creates these auto-start registry keys:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Shockwave Flash = Rundll32.exe sflash.dll,Init
  • HKLM\Software\Classes\CLSID\{32C18258-23D0-41b0-A87D-2672ABFB5366}
  • HKLM\Software\Classes\CLSID\{32C18258-23D0-41b0-A87D-2672ABFB5366}\InprocServer32
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{32C18258-23D0-41b0-A87D-2672ABFB5366}

It downloads the following file:

  • http://69.6.202.56/.fp/[REMOVED].exe
    - Trojan-Spy:W32/Banker.HYN

It saves the file as %temp%\aol92.exe and executes it.
Note: %temp% is normally C:\Documents and Settings\\Local Settings\Temp.

This malware monitors the URLs visited by the user. If the visited URL has the following banking-related strings, it will start collecting information:

  • .ub-businessonline.
  • ach-cdc1.theonenet.com
  • amegytreasurymanagement.com
  • banking.calbanktrust.com
  • banking.commercebank.com
  • bankofinternet.com
  • business.ml.com
  • businesse-cashmanager
  • businessonline.blilk.com
  • cashproweb
  • ceowt.wellsfargo.com
  • commercetreasurydirect.com
  • commercial.wachovia.com
  • communityresourcebank.com
  • direct.bankofamerica.com
  • ebanking-services.com
  • ecash.fsbnm.com/cashman/
  • enterprise2.openbank.com
  • firstmutualonline.com
  • itreasury.amsouth.com
  • myib.firstmerchants.com
  • nationalcity.com/corporate
  • nationalcity.com/dashboard
  • onlinencr.com/online/cbandt/business
  • onlinetreasurymanager.
  • secure.republicfederal.com
  • server52.cey-ebanking.com
  • sterlingonline.banksterling.com
  • sterlingonline.banksterling.com
  • svbconnect
  • treasury.pncbank
  • wainwrightbank.com/html/business
  • wc.wachovia.com/
  • wcm71.webcashmgmt.com
  • wcma.businesscenter
  • webbankingforbusiness
  • webcashmanager.com
  • webcashmgmt.com
  • wellsoffice.wellsfargo.com
  • wires.theonenet.com
  • ws.ecorphost.net
  • www.directline4biz.com
  • www.enternetbank.com/ewb/

Stolen information will then be sent to the following link using http POST command:

  • http://203.121.69.232/OOO6/[REMOVED].php
Back to the Top



F-Secure Corporation

Last Modified: December 05, 2007