Trojan-Spy.Win32.Banker.clz
From Total Malware Info
This Trojan is designed to steal confidential financial information. The file is a Windows PE-Executable compiled using Borland Delphi. This file is packed by Themida. File has a size 2 736 128 346 bytes packed and about 4 583 Kbytes unpacked.
Installation
Once launched, the Trojan extracts itself to the Windows Startup directory:
%Documents and Settings%\All Users\Start Menu\Programs\Startup\Exec32.exe %System%\Exec32.exe
Once launched, the Trojan extracts itself to the Windows Startup and System directories:
%Documents and Settings%\All Users\Start Menu\Programs\Startup\Exec32.exe %System%\Exec32.exe
Also Trojan creates the following file in %System%\drivers directory:
oreans32.sys
The extracted file is Themida’s driver and has a size 33 952 bytes.
After that it registers file in the system registry to ensure that this file will be launched each time Windows is rebooted on the victim machine:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "Exec32"="%System%\Exec32.exe"
Also Themida’s Service is added to registry:
[HKLM\System\CurrentControlSet\Services\oreans32] "DisplayName"="oreans32" "ImagePath"="%System%\drivers\oreans32.sys" "DisplayName"="oreans32" "Start"="dword:0x00000001" "DisplayName"="oreans32"
Payload
The malware logs the user information in resident mode and saves it to special log file:
%System%\Rec
Also Trojan makes screenshots when the user visits certain websites and sends them with the log to:
- or****rr@gmail.com
Removal instructions
- Using Task Manager terminate the trojan process Exec32.exe.
- Delete the following registry keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "Exec32"="%System%\Exec32.exe" [HKLM\System\CurrentControlSet\Services\oreans32]
- Delete the executable file:
%System%\Exec32.exe %System%\drivers\oreans32.sys
