In Banking Trojans Part I I covered some banking trojan families. Here I will list the rest of the most dangerous of these types of malicious codes.
Goldun, Haxdoor, Nuclear Grabber
It usually drops a DLL and a SYS file with rootkit functionality.
It creates a registry entry in order to load the DLL:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify
Cimuz, Bzud, Metafisher, Abwiz, Agent DQ
It usually drops a DLL as a Browser Helper Object (BHO) with these names:
%SystemRoot%appwiz.dll
%SystemRoot%ipv6mmo??.dll
We have seen also other names for these files.
Bankolimb, Nethell, Limbo
It usually drops a DLL as a Browser Helper Object (BHO) and an encrypted XML which acts as a configuration file for the Trojan.
Some variants create the following registry entry:
HKEY_LOCAL_MACHINESoftwareHelper
Others create the following one:
HKEY_LOCAL_MACHINESoftwareMRSoft
Briz, VisualBreez
Programmed in Visual Basic, it creates the following files:
%SystemRoot%ieschedule.exe
%SystemRoot%dsrss.exe
%SystemRoot%ieserver.exe
%SystemRoot%websvr.exe
%SystemRoot%ieredir.exe
%SystemRoot%smss.exe
%SystemRoot%ib?.dll
Folders:
%SystemRoot%drv32dta
%WindowsRoot%websvr
Registry entry:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlInitRegKey
And usually modifies the hosts file.
Nuklus, Apophis
It usually downloads the following files:
%SystemRoot%IEGrabber.dll
%SystemRoot%CertGrabber.dll
%SystemRoot%FFGrabber.dll
%SystemRoot%IECookieKiller.dll
%SystemRoot%IEFaker.dll
%SystemRoot%IEMod.dll
%SystemRoot%IEScrGrabber.dll
%SystemRoot%IETanGrabber.dll
%SystemRoot%NetLocker.dll
%SystemRoot%ProxyMod.dll
%SystemRoot%PSGrabber.dll
BankDiv, Banker.BWB
Creates the following files:
%SystemRoot%xvid.dll
%SystemRoot%xvid.ini
%SystemRoot%divx.ini
%System%driversip.sys
Snatch, Gozi
It usually installs a driver with rootkit functionalities:
%WindowsRoot%driver new_drv.sys
Spyforms
Creates the following registry entries:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
“ttool” = %WindowsRoot%svcs.exe
HKEY_CURRENT_USERSoftwareMicrosoftInetData
BankPatch
It modifies the following system files:
wininet.dll
kernel32.dll
And creates the files:
%SystemRoot%ldshfr.old
%SystemRoot%mentid.dmp
%SystemRoot%nwkr.ini
%SystemRoot%nwwnt.ini
Usually targets banks from the Netherlands.
Silentbanker
Drops file in %SystemRoot% with random names, for example:
%SystemRoot%appmgmt14.dll
%SystemRoot%dbgen47.dll
%SystemRoot%drmsto34.dll
%SystemRoot%faultre66.dll
%SystemRoot%kbddiv55.dll
%SystemRoot%kbddiv79.dll
%SystemRoot%msisi83.dll
%SystemRoot%msvcp793.dll
%SystemRoot%msvcr25.dll
%SystemRoot%nweven2.dll
%SystemRoot%pngfil51.dll
%SystemRoot%pschdpr89.dll
%SystemRoot%versio40.dll
%SystemRoot%wifema85.dll
%SystemRoot%winstr21.dll
%SystemRoot%wzcsv64.dll
Creates a registry entry:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionDrivers32 “midi1”
If you suspect infection by these or any other type of malware I encourage you to double check by scanning your PC online with ActiveScan 2.0.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
