1. /
  2. Security Response/
  3. Infostealer.Banker.D

Infostealer.Banker.D

Risk Level 1: Very Low

Discovered:
May 27, 2007
Updated:
May 27, 2007 12:11:25 PM
Also Known As:
Trojan-Spy:W32/Banker.CPV [F-Secure]
Infection Length:
76,800 bytes
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When the Trojan executes, it creates a mutex to ensure that only one instance of the Trojan is runs on the compromised computer:
HelperMutex

Next, it drops the following DLL file:
%System%\[TROJAN BHO DLL]

Note:
[TROJAN BHO DLL] may be one of the following file names:
  • torm.dll
  • coman.dll
  • helper.dll
  • torm1.dll
  • coman1.dll
  • helper1.dll


It then registers the dropped DLL component as a Browser Helper Object by executing the following command:
regsvr32 /s [PATH TO TROJAN BHO DLL]

It also drops one of the following XML configuration files. The file contains details of banks to be targeted:
  • %System%\helper.sys
  • %System%\helper.xml


The Trojan then creates the following registry entries:
HKEY_LOCAL_MACHINE\Software\Helper\"DName" = [ENCRYPTED STRING1]
HKEY_LOCAL_MACHINE\Software\Helper\"Dom" = [HEX VALUES]
HKEY_LOCAL_MACHINE\Software\Helper\"GUID" = [ENCRYPTED STRING2]

The Trojan will create the following registry subkeys and then delete the initial executable file:
HKEY_LOCAL_MACHINE\Software\Classes\CLISD\[TROJAN BHO CLSID]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\[PATH TO TROJAN BHO DLL]

Note:
[TROJAN BHO CSLID] may be one of the following values:
  • {60FD4F58-4748-48f6-b661-5fce71b0d907}
  • {327C3AF0-4EF6-4F8A-9A8D-685a4815D9F8}
  • {AE1AA4FA-C3A2-4c33-90CD-69DD021A35C8}


The Trojan then monitors for access to the targeted banking Web site login screens. When an access attempt is made, it injects its own HTML snippet into the HTML returned by the bank Web server. The HTML snippet injected causes the browser to display additional fields in the login form for the user to enter in details such as the PIN, Social Security Number, date of birth and so on.

When the user enters this information into the form and submits it, the Trojan will take a copy of the data and then pass on the request to the bank Web server. As a result the interception made by the Trojan is transparent and seamless to the unsuspecting user.

The Trojan may also attempt to steal other details including:
  • Windows protected storage passwords
  • Internet Explorer forms and auto-complete saved passwords
  • Email account details


Next, the Trojan opens a back door and attempts to contact one of the following remote computers on TCP port 80:
  • f.ggg.org.ua
  • www.skytrip.org
  • semechkiandchebureki.com


The page requested from the remote computer could be one of the following:
  • /newuser.php (used to notify the attacker of an infection)
  • /mail.php (used to send e-mail)
  • /upload.php (used to upload data to the server)
  • /command.php (used to send or receive commands)
  • /commandback.php (used to send or receive commands)


The Trojan may also create the following files to store the stolen information and to exchange commands with the remote computer:
  • %System%\wab.dat
  • %System%\ps.dat
  • %System%\cookie.dat
  • %System%\boa.dat
  • %System%\alog.txt
  • %System%\commands.xml
  • %System%\tns.dll


The back door enables the following actions to be carried out on the compromised computer depending on the commands received:
  • reboot the computer
  • download a remote file to %System%\file.exe
  • execute a program
  • load a new XML configuration file
  • uninstall the Trojan
  • delete Internet Explorer cookies
  • add a host to %System%\drivers\etc\hosts file
  • delete the files C:\ntldr and C:\ntdetect.com and then reboot
Writeup By: Elia Florio
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver