You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Banker.CHG

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Banker.CHG carries out the following actions:

  • It goes memory resident.
  • It monitors if users access the following web pages, which belong to several banking entities:
    http://www.hsbc.co.uk/1/2/personal/pib-home
    https://ibank.barclays.co.uk/olb/q/LoginMember.do
    https://my.if.com/_mem_bin/formslogin.asp
    https://mybankoffshore.alil.co.im/login.asp
    https://myonlineaccounts2.abbeynational.co.uk/CentralLogonWeb/Logon?action=prepare
    https://olb2.nationet.com/signon/signon_WP1.asp?ID=
    https://online.lloydstsb.co.uk/customer.ibc
    https://online-offshore.lloydstsb.com/customer.ibc
    https://www.anbusiness.com/weblogic/FNG/LogonServlet?action=prepare
    https://www.halifax-online.co.uk/_mem_bin/Formslogin.asp
  • If users enter their data in order to log in any of them, Banker.CHG modifies the file HOSTS, so that the website cannot be accessed.
  • Immediately after, Banker.CHG displays a false website that imitates the original one belonging to the banking entity to which users attempted to access.
  • If users enter the data again thinking that there has been an error, Banker.CHG obtains confidential user data, such as username and password.
  • Then, it sends the data it has gathered using the POST method of the HTTP protocol to certain URLs.
  • It attempts to download several files from some IP addresses.
  • It attempts to access the website http://veni<blocked>vici.com.

Additionally, in spite of having rootkit techniques, Banker.CHG does not use them.

Infection strategy 

Banker.CHG creates the file WMEDIA32.EXE in the Windows system directory. This file is a copy of the Trojan.

 

Banker.CHG modifies the file HOSTS. By modifying this file, it prevents the access to certain websites, belonging to banking entities.

 

Banker.CHG creates the following entry in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    WMedia32 = %sysdir%\wmedia32.exe
    where %sysdir% is the Windows system directory.
    By creating this entry, Banker.CHG ensures that it is run whenever Windows is started.

Means of transmission 

Banker.CHG does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

Banker.CHG is written in the programming language Delphi. This Trojan is 51,919 bytes in size, and it is compressed with UPX.