Banking Trojans II

Pedro Bustamante at  21 April 08 05:21

In Banking Trojans Part I I covered some banking trojan families. Here I will list the rest of the most dangerous of these types of malicious codes.

 

Goldun, Haxdoor, Nuclear Grabber
It usually drops a DLL and a SYS file with rootkit functionality.
It creates a registry entry in order to load the DLL:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\


Cimuz, Bzud, Metafisher, Abwiz, Agent DQ
It usually drops a DLL as a Browser Helper Object (BHO) with these names:
    %SystemRoot%\appwiz.dll
    %SystemRoot%\ipv6mmo??.dll
We have seen also other names for these files.


Bankolimb, Nethell, Limbo
It usually drops a DLL as a Browser Helper Object (BHO) and an encrypted XML which acts as a configuration file for the Trojan.
Some variants create the following registry entry:
    HKEY_LOCAL_MACHINE\Software\Helper
Others create the following one:
    HKEY_LOCAL_MACHINE\Software\MRSoft


Briz, VisualBreez
Programmed in Visual Basic, it creates the following files:
    %SystemRoot%\ieschedule.exe
    %SystemRoot%\dsrss.exe
    %SystemRoot%\ieserver.exe
    %SystemRoot%\websvr.exe
    %SystemRoot%\ieredir.exe
    %SystemRoot%\smss.exe
    %SystemRoot%\ib?.dll
Folders:
    %SystemRoot%\drv32dta
    %WindowsRoot%\websvr
Registry entry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\InitRegKey
And usually modifies the hosts file.


Nuklus, Apophis
It usually downloads the following files:
    %SystemRoot%\IEGrabber.dll
    %SystemRoot%\CertGrabber.dll
    %SystemRoot%\FFGrabber.dll
    %SystemRoot%\IECookieKiller.dll
    %SystemRoot%\IEFaker.dll
    %SystemRoot%\IEMod.dll
    %SystemRoot%\IEScrGrabber.dll
    %SystemRoot%\IETanGrabber.dll
    %SystemRoot%\NetLocker.dll
    %SystemRoot%\ProxyMod.dll
    %SystemRoot%\PSGrabber.dll

 

BankDiv, Banker.BWB
Creates the following files:
    %SystemRoot%\xvid.dll
    %SystemRoot%\xvid.ini
    %SystemRoot%\divx.ini
    %System%\drivers\ip.sys

 

Snatch, Gozi
It usually installs a driver with rootkit functionalities:
    %WindowsRoot%\driver new_drv.sys


Spyforms
Creates the following registry entries:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    “ttool” = %WindowsRoot%\svcs.exe
    HKEY_CURRENT_USER\Software\Microsoft\InetData


BankPatch
It modifies the following system files:
    wininet.dll
    kernel32.dll
And creates the files:
    %SystemRoot%\ldshfr.old
    %SystemRoot%\mentid.dmp
    %SystemRoot%\nwkr.ini
    %SystemRoot%\nwwnt.ini
Usually targets banks from the Netherlands.


Silentbanker
Drops file in %SystemRoot% with random names, for example:
    %SystemRoot%\appmgmt14.dll
    %SystemRoot%\dbgen47.dll
    %SystemRoot%\drmsto34.dll
    %SystemRoot%\faultre66.dll
    %SystemRoot%\kbddiv55.dll
    %SystemRoot%\kbddiv79.dll
    %SystemRoot%\msisi83.dll
    %SystemRoot%\msvcp793.dll
    %SystemRoot%\msvcr25.dll
    %SystemRoot%\nweven2.dll
    %SystemRoot%\pngfil51.dll
    %SystemRoot%\pschdpr89.dll
    %SystemRoot%\versio40.dll
    %SystemRoot%\wifema85.dll
    %SystemRoot%\winstr21.dll
    %SystemRoot%\wzcsv64.dll
Creates a registry entry:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Drivers32 “midi1”

If you suspect infection by these or any other type of malware I encourage you to double check by scanning your PC online with ActiveScan 2.0.

Category: ,

Comments

In previous posts Banking Trojans I and Banking Trojans II we did an overview of the main banker trojan

   Posted by Panda Research Blog at 2 June 08 12:39 PM

Post a comment

 
 

Share it: Print