Site icon Panda Security Mediacenter

Banking Trojans II

In Banking Trojans Part I I covered some banking trojan families. Here I will list the rest of the most dangerous of these types of malicious codes.

 

Goldun, Haxdoor, Nuclear Grabber
It usually drops a DLL and a SYS file with rootkit functionality.
It creates a registry entry in order to load the DLL:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify

Cimuz, Bzud, Metafisher, Abwiz, Agent DQ
It usually drops a DLL as a Browser Helper Object (BHO) with these names:
    %SystemRoot%appwiz.dll
    %SystemRoot%ipv6mmo??.dll

We have seen also other names for these files.

Bankolimb, Nethell, Limbo
It usually drops a DLL as a Browser Helper Object (BHO) and an encrypted XML which acts as a configuration file for the Trojan.
Some variants create the following registry entry:
    HKEY_LOCAL_MACHINESoftwareHelper
Others create the following one:
    HKEY_LOCAL_MACHINESoftwareMRSoft

Briz, VisualBreez
Programmed in Visual Basic, it creates the following files:
    %SystemRoot%ieschedule.exe
    %SystemRoot%dsrss.exe
    %SystemRoot%ieserver.exe
    %SystemRoot%websvr.exe
    %SystemRoot%ieredir.exe
    %SystemRoot%smss.exe
    %SystemRoot%ib?.dll

Folders:
    %SystemRoot%drv32dta
    %WindowsRoot%websvr

Registry entry:
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlInitRegKey
And usually modifies the hosts file.

Nuklus, Apophis
It usually downloads the following files:
    %SystemRoot%IEGrabber.dll
    %SystemRoot%CertGrabber.dll
    %SystemRoot%FFGrabber.dll
    %SystemRoot%IECookieKiller.dll
    %SystemRoot%IEFaker.dll
    %SystemRoot%IEMod.dll
    %SystemRoot%IEScrGrabber.dll
    %SystemRoot%IETanGrabber.dll
    %SystemRoot%NetLocker.dll
    %SystemRoot%ProxyMod.dll
    %SystemRoot%PSGrabber.dll

 

BankDiv, Banker.BWB
Creates the following files:
    %SystemRoot%xvid.dll
    %SystemRoot%xvid.ini
    %SystemRoot%divx.ini
    %System%driversip.sys

 

Snatch, Gozi
It usually installs a driver with rootkit functionalities:
    %WindowsRoot%driver new_drv.sys

Spyforms
Creates the following registry entries:
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    “ttool” = %WindowsRoot%svcs.exe
    HKEY_CURRENT_USERSoftwareMicrosoftInetData

BankPatch
It modifies the following system files:
    wininet.dll
    kernel32.dll

And creates the files:
    %SystemRoot%ldshfr.old
    %SystemRoot%mentid.dmp
    %SystemRoot%nwkr.ini
    %SystemRoot%nwwnt.ini

Usually targets banks from the Netherlands.

Silentbanker
Drops file in %SystemRoot% with random names, for example:
    %SystemRoot%appmgmt14.dll
    %SystemRoot%dbgen47.dll
    %SystemRoot%drmsto34.dll
    %SystemRoot%faultre66.dll
    %SystemRoot%kbddiv55.dll
    %SystemRoot%kbddiv79.dll
    %SystemRoot%msisi83.dll
    %SystemRoot%msvcp793.dll
    %SystemRoot%msvcr25.dll
    %SystemRoot%nweven2.dll
    %SystemRoot%pngfil51.dll
    %SystemRoot%pschdpr89.dll
    %SystemRoot%versio40.dll
    %SystemRoot%wifema85.dll
    %SystemRoot%winstr21.dll
    %SystemRoot%wzcsv64.dll

Creates a registry entry:
    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionDrivers32 “midi1”

If you suspect infection by these or any other type of malware I encourage you to double check by scanning your PC online with ActiveScan 2.0.

Exit mobile version