Encyclopedia

Panda Internet Security 2010

Full protectión for complete peace of mind on the Internet.

BUY with 20% OFF	DOWNLOAD FREE*
* Includes 3 months' services FREE

Banker.BSX
Threat LevelDamageDistribution

At a glance Tech details Solution

Effects

Banker.BSX carries out the following actions:

It opens the port 1106 and goes memory resident.
It monitors if the user accesses the following web pages, belonging to banking entities in Spanish speaking countries:
https://secure2.venezolano.com/
https://e-bdvcp.banvenez.com
https://www.ibprovivienda.com.ve/personas/
https://banco.micasaeap.com/individualmc/
https://olb.todo1.com/servlet/msfv/
https://www.banesco.com/servicios_electronicos_pag.htm
https://www.banesconline.com
https://www.provinet.net/shtml/
https://bod.bodmillenium.com
https://www.corp-line.com.ve/personas/
If the user accesses any of them, Banker.BSX captures the actions carried out by the user in the website, including the login and password typed by virtual keyboards.
Then, the data gathered is sent to a certain email address.
It sends a message via MSN Messenger, with a link that points to a copy of the Trojan Nabload.U:

ve esa vaina
http://hometown.<blocked>miralafoto/foto.exe

If the link is clicked, Nabload.U is downloaded to the affected computer.

Infection strategy

Banker.BSX creates the following files in the subfolder SERVICE of the Windows system directory:

SERVICE.DLL, which is not a DLL, but an INI file that contains information about the configuration of the Trojan: email address to which send the gathered data, website from which the Trojan is downloaded, messages to be sent via MSN Messenger, etc.
Several JPG files, which are screenshots of the actions carried out by the user while browsing the monitored websites.
%bank%.HTML, which logs the keystrokes typed by the user and the screenshots related to the banking entity in which the information has been gathered.
EL.DLL, which is not a DLL either, but a text file that Banker.BSX uses to store the addresses in the Contact List of MSN Messenger.

Banker.BSX creates the following entry in the Windows Registry:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
services = %sysdir%\ services.exe
where %sysdir% is the Windows system directory.
By creating this entry, Banker.BSX ensures that it is run whenever Windows is started.

Means of transmission

Banker.BSX is downloaded to the affected computer by another Trojan called Nabload.U.

Further Details

Banker.BSX is written in the programming language Delphi. This Trojan is 393,728 bytes in size if it is compressed with UPX and 1,143,750 bytes once decompressed.

Last updated: 27/03/2006

Virus News

Help your friends against viruses: share, save and subscribe to our security content. Thank you.

Fake virus alert spreads massively across Facebook, reports PandaLabs

Panda Security, leading Spanish software vendor in the 2009 Truffle 100 Europe i...

PandaLabs Annual Malware Report: 2009 sets new records for malware creation: 25 ...

[+ Noticias]

RSS - News coverage on virus and intrusion prevention | TWITTER - PANDA SECURITY

Our Cloud Twitter | Web Map | Contact | Affiliates