1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Infostealer.Bankeiya Activity

System Infected: Infostealer.Bankeiya Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects traffic generated by Infostealer.Bankeiya which could lead to information theft and further infection of the affected system.

Additional Information

When the Trojan is executed, it creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\IcpIpCfg = Rundll32 %UserProfile%\Application Data\[RANDOM FILE NAME].dll MainThread

Next, the Trojan downloads configuration settings from the following URL:
http://profile.hatena.ne.jp/ml[RANDOM NUMBER]

It then saves the configuration settings to the following file before updating itself:
%UserProfile%\Application Data\ini.ini

Affected

  • Windows
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube