Effects
Banker.LZK carries out the following actions:
- It steals the banking data entered by users when they access the website belonging to a certain Portuguese banking entity.
- It connects to a certain webiste where it stores the following data:
- Country.
- Name of the network to which the computer belongs.
- Time of the infection.
Infection strategy
Banker.LZK creates the following files in the Windows system directory:
- SYSTEMA.EXE, which is a copy of the Trojan. This file has the following icon:
- INFO.LOG, where it stores the name of the network of the affected computer.
- DOWN.TXT
Banker.LZK creates the following entry in the Windows Registry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System = %sysdir%\Systema.exe
where %sysdir% is the Windows system directory.
By creating this entry, Banker.LZK ensures that it is run whenever Windows is started.
Means of transmission
Banker.LZK reaches the computer in en email message which seems to have been sent by a certain banking entity. This message contains an attached file called COMPROVANTE that passes itself off as a text file. However, it is actually an executable file.
The file has the following icon:
However, Banker.LZK does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.
Further Details
Banker.LZK is 488,960 bytes in size.