Trojan-Spy.Win32.Banker.dba
From Total Malware Info
This Trojan is designed to steal confidential financial information. The file is a Windows PE-Executable compiled using Borland Delphi. File is packed with UPX has a size 216064 bytes and unpacked size 605696.
Installation
After the execution it registers file in the system registry to ensure that this file will be launched each time Windows is rebooted on the victim machine. File chooses registration randomly from the list:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "amaxer.exe"=%Common Files%\Microsoft Shared\amaxer.exe "bmaxer.exe"=%Common Files%\Microsoft Shared\bmaxer.exe "taker.exe"=%Common Files%\Microsoft Shared\taker.exe "caller.exe"=%Common Files%\Microsoft Shared\caller.exe "getter.exe"=%Common Files%\Microsoft Shared\getter.exe "toller.exe"=%Common Files%\Microsoft Shared\toller.exe "pusher.exe"=%Common Files%\Microsoft Shared\pusher.exe "qutti.exe"=%Common Files%\Microsoft Shared\qutti.exe "param.exe"=%Common Files%\Microsoft Shared\param.exe "narin.exe"=%Common Files%\Microsoft Shared\narin.exe "allsee.exe"=%Common Files%\Microsoft Shared\allsee.exe "soldi.exe"=%Common Files%\Microsoft Shared\soldi.exe "painn.exe"=%Common Files%\Microsoft Shared\painn.exe "kerin.exe"=%Common Files%\Microsoft Shared\kerin.exe "patti.exe"=%Common Files%\Microsoft Shared\patti.exe "ditter.exe"=%Common Files%\Microsoft Shared\ditter.exe "dizzle.exe"=%Common Files%\Microsoft Shared\dizzle.exe "easlin.exe"=%Common Files%\Microsoft Shared\easlin.exe "fainter.exe"=%Common Files%\Microsoft Shared\fainter.exe "souler.exe"=%Common Files%\Microsoft Shared\souler.exe "winupdate.exe"=%Common Files%\Microsoft Shared\winupdate.exe "spdno.exe"=%Common Files%\Microsoft Shared\spdno.exe "goods.exe"=%Common Files%\Microsoft Shared\goods.exe "moriz"=%system%\moriz.exe
Payload
The malware installs the following malware without user’s permission:
Downloaded file has size is 232448 bytes and detected by Kaspersky Antivirus as Backdoor.Win32.Delf.bbr.
Removal instructions
- Using Task Manager terminate the trojan process.
- Delete the the registry keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "amaxer.exe"=%Common Files%\Microsoft Shared\amaxer.exe "bmaxer.exe"=%Common Files%\Microsoft Shared\bmaxer.exe "taker.exe"=%Common Files%\Microsoft Shared\taker.exe "caller.exe"=%Common Files%\Microsoft Shared\caller.exe "getter.exe"=%Common Files%\Microsoft Shared\getter.exe "toller.exe"=%Common Files%\Microsoft Shared\toller.exe "pusher.exe"=%Common Files%\Microsoft Shared\pusher.exe "qutti.exe"=%Common Files%\Microsoft Shared\qutti.exe "param.exe"=%Common Files%\Microsoft Shared\param.exe "narin.exe"=%Common Files%\Microsoft Shared\narin.exe "allsee.exe"=%Common Files%\Microsoft Shared\allsee.exe "soldi.exe"=%Common Files%\Microsoft Shared\soldi.exe "painn.exe"=%Common Files%\Microsoft Shared\painn.exe "kerin.exe"=%Common Files%\Microsoft Shared\kerin.exe "patti.exe"=%Common Files%\Microsoft Shared\patti.exe "ditter.exe"=%Common Files%\Microsoft Shared\ditter.exe "dizzle.exe"=%Common Files%\Microsoft Shared\dizzle.exe "easlin.exe"=%Common Files%\Microsoft Shared\easlin.exe "fainter.exe"=%Common Files%\Microsoft Shared\fainter.exe "souler.exe"=%Common Files%\Microsoft Shared\souler.exe "winupdate.exe"=%Common Files%\Microsoft Shared\winupdate.exe "spdno.exe"=%Common Files%\Microsoft Shared\spdno.exe "goods.exe"=%Common Files%\Microsoft Shared\goods.exe "moriz"=%system%\moriz.exe
- Delete the executable file:
- %System%\moriz.exe
- Use Kaspersky Anti-Virus to delete the Trojan. Update your antivirus databases and perform a full scan of the computer.
