Trojan-Spy.Win32.Banker.zq
From Total Malware Info
It is a Backdoor used to steal account information of victim. The file is a Windows dll file. File is compiled using Borland Delphi which has a size 76 800 bytes and unpacked.
Contents |
Installation
The malware is a part of another executable. It needs to be called by the main part to be executed. Once executed it edits the windows hosts file to trap the victim directing to the web site that malware logs information.
Payload
This malware looks for data of specific sites to steal the account information. Looks for the browser windows that has the listed keywords:
cahoot if.com smile rbsdigital bcp.pt first nation abbey natwest citi barclay allianc bank hsbc lloyd nwolb online hali npbs marbles trade rbs caja caixa cgd.pt bpi.pt banc cisf.pt mps.it sanpaolo.it bnl.it poplodi.it bipop.it bpn.it carisbo.it bcp.it bpm.it login bam.it vr-networld-ebanking.de citibank.de berliner-volksbank.de 1822direkt.com deutsche-bank.de bankingportal dresdner-privat.de .gad.de tecladovirtual.jsp postbank.nl lo2.lacaixa.es cajamadrid netiservlet activobank sabadellbancaprivada solbank bancoherrero sabadellatlantico ibercajadirecto homecem ebankinter seguro.cam.es wellsfargo.com error chase.com myspace.com bbk.es caja-ingenieros unicaja caixagalicia cgi-bin/hotmail cgi-bin/getmsg showletter?msgid ym/showFolder yahoo.com/search google.com/search msn.com/cgi-bin /ym/showfolder search.ebay ShowLetter?Idx viabcp.com banesto.es openbank.es bgnetplus gruposantander paso cajacanarias.es caixatarragona.es cajavital.es openplan.co.uk
The malware edits firewall rules of some well known firewalls:
- Windows Firewall
- BitDefender Firewall
- Kerio Personal Firewall
- Norton Personal Firewall
- Outpost Firewall
It lets itself send information by pressing the required buttons:
- Aceptar
- Make changed component shared
- Permit
on the following dialog window:
Un processus cache requiert une connexion reseau Un processus cache requiert une connexion reseau Warning: Components Have Changed Hidden Process Requests Network Access
Malware changes the registry to lock the homepage of Internet Explorer:
[HKLM\Software\Microsoft\Internet Explorer\Main] "Use FormSuggest"="Yes"
Removal instructions
- Remove the malware file.
- Delete the following registry key:
[HKLM\Software\Microsoft\Internet Explorer\Main] "Use FormSuggest"="Yes"
- Check your firewall settings and remove the permission for the file svchost.exe
- Use Kaspersky Anti-Virus to delete the Trojan. Update your antivirus databases and perform a full scan of the computer.
