In Banking Trojans Part I I covered some banking trojan families. Here I will list the rest of the most dangerous of these types of malicious codes.


Goldun, Haxdoor, Nuclear Grabber
It usually drops a DLL and a SYS file with rootkit functionality.
It creates a registry entry in order to load the DLL:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify

Cimuz, Bzud, Metafisher, Abwiz, Agent DQ
It usually drops a DLL as a Browser Helper Object (BHO) with these names:

We have seen also other names for these files.

Bankolimb, Nethell, Limbo
It usually drops a DLL as a Browser Helper Object (BHO) and an encrypted XML which acts as a configuration file for the Trojan.
Some variants create the following registry entry:
Others create the following one:

Briz, VisualBreez
Programmed in Visual Basic, it creates the following files:


Registry entry:
And usually modifies the hosts file.

Nuklus, Apophis
It usually downloads the following files:


BankDiv, Banker.BWB
Creates the following files:


Snatch, Gozi
It usually installs a driver with rootkit functionalities:
    %WindowsRoot%driver new_drv.sys

Creates the following registry entries:
    “ttool” = %WindowsRoot%svcs.exe

It modifies the following system files:

And creates the files:

Usually targets banks from the Netherlands.

Drops file in %SystemRoot% with random names, for example:

Creates a registry entry:
    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionDrivers32 “midi1”

If you suspect infection by these or any other type of malware I encourage you to double check by scanning your PC online with ActiveScan 2.0.