Trojan-Spy.Win32.Banker.asq

**Anilrgowda** · 08-Dec-2006, 03:36 AM

Technical details
This Trojan will steal confidential user data when the user visits certain websites. It is a Windows PE EXE file. The file is 62,476 bytes in size. It is packed using Upack. The unpacked file is approximately 319KB in size. It is written in Borland C++.
Installation

When launched, the Trojan will copy its executable file as:
%System%\scvhost.exe
The original Trojan file will then be deleted.
In order to ensure that the Trojan is launched automatically each time Windows is restarted, the Trojan registers its executable file in the system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Internet Explorer Helper" = "%System%\scvhost.exe"
Payload
The Trojan uses a Browser Helper Object to track user activity within Internet Explorer.
The Trojan protocols the following user actions:

opening URLs
Actions which the user carries out with web form components - tracking the user’s choice of radio buttons, checkboxes, keys pressed, component names. The Trojan sends this information to the remote malicious user’s site.
If the user enters information in a text field with one of the names listed below, the information will be sent to the remote malicious user’s site. answercajamadridccpincitibankclaveClaveAcceso_scli entecodigoD1D33Documento_sfirmafirmaFirma1identifi cakeylogonIDmemorableNumeroCliente_sNumeroUsuario_ sparolpasspassphrasepasswdpasswdpasswd2passwordPas swordpasswordpaswpinpin2pwdpwd2secretsecursecurese gurserviciotantan2TipoId_suseridusername

On web sites with addresses which contain the strings listed below (left hand column) the Trojan gets the information from the fields listed below (right hand column) and sends this information to the remote malicious user’s site.

Address contains:Name of fieldbbvanetUsertext
Password
pw2
username2
nombre
tripletaBancopopularBancopopular
PAN_IN
contras_IN
UserName
Password
ATHPIN
PinBancajaPan
PinCaixapenedesefUsuario
efPasswordCaixasabadellUsuario
pinsantandercentralhispanoUsuario
Indicador
empresa_grupo
empresa_usuario
clave
empresa_clavecaixatarragonaUsuari
HB_PSW_FINAL_CONEX2ruralviaUSUARIO
PASS
FIRMAcajasurPAN
PIN1ibercajadirectoCodidentific
PIN
ClavefirmaebankinterUsername
Password
txtMascarabanestoOpnumerocod
Oppasswd
OpusuariocaixaebankingEMPRESA
CONTRATO
COD_ACESSOhsbc.com.auPBN
passwordlloydstsb.co.ukUserId1
Password
ResponseKey0
ResponseKey1
ResponseKey2
ResponseValue0
ResponseValue1
ResponseValue2.e-gold.comAccountID
PassPhrase.banking.uboc.comUserID
pinNumber.etrade.comUSER
PASSWORD.bnyonline.comUSERID
PASSWORD.tdcommercialbanking.comlang
ConnectID
connectIdDescription
password.bankcolonial.comUsername
Password.harrisbank.comUsername
Password.wamu.comtxtUserID
pwdPassword.firsthorizon.comDetectDemoMode.UserNam e
DetectDemoMode.Password.firstmeritib.comctlLogin1: txtUsername
ctlLogin1:txtPassword.flagstarbanking2.comuserNumb er
password.frostbank.comuserName
password.hibernia.comUser
Pin.hcsbonline.comuserNumber
password.huntington.comUSER
PIN.mandtbank.comtxtUserID
txtPasscode.mbnausername
password.secure-banking.comv1
v2
v3.ibanking-services.comuserid
password.midamericabank.comusername
password.nationalcity.comUserName
Password.navyfcu.orgcomboLogonNumber
userid
passwrd.ncsecu.orgHeader1:SignOn1:txtUserID
Header1:SignOn1:txtPassword
userid
password.mynfbonline.comtbCustomer_ID
tbPassword.ohiosavings.comUserID
Password.oldnational.comuser
PIN.peoples.comprofilename
profilepassword.rbccentura.comK1
Q1.regionsbank.comj_username
j_password.statefarm.comuserID
password.tcfbank.comj_username
j_password.tdbanknorth.comtextfield
textfield2 .thirdfederalonline.comuserNumber
password.openbank.comj_username
j_password
companyID.vbankworks.comUserName
Password.websterbank.comusername
password.whitneybank.comaccessCode
pinx.wilmingtontrust.comuserid
password.worldsavings.comUserName
Password.zionsbank.comj_username
j_passwordtarjetapin
Coordenada.commbank.com.auUSER_LOGON_NAME
PASSWORD.dab-bank.comauthentificationnumberLogin
pinLogin.ebank.hsbc.com.hkLogonID
Pin
PIN.barclays.co.ukmembershipNo
passCode
surname
firstMDC
secondMDC.national.com.auuserid
passwordnbd.aeloginName
password
pin.allianz.deuserId
password.smile.co.uksortCode
accountNumber
visaCardNumber
passNumber.westpac.com.auusername
pwd.abbeynational.co.ukID
PASSCODE
ERN
inputuserid
inputmemorableAddress
sec_id.cajamar.esNUME
PASSWORD.cbdonline.aetxtUserCode
txtPassword.ccm.esCLIENTE
PIN.co-operativebank.co.uksortCode
accountNumber
visaCardNumber
passNumber.samba.comusername
password.unb.comCustID
Password.unicaja.esuser
pwd
oper.hangseng.comlang_version
u_LogonID
DOSI
Pin.bankone.combolAccessId
bolPassword.bankofamerica.comid
pc .chase.comusr_name_input
usr_password_input .rfh.org.uktxtLogin
txtPassword .wachovia.comuserid
password .aibgbonline.co.ukRegNo
PAC1
PAC2 .rbttnetbank.comLogin
Password
WhichBrowser
ValidationReq .bfc-ag.comidentifiant
motpasse .firstcaribbeanbank.comfldLoginUserId
fldPassword
fldLangId .ncbelink.comCorporateSignonCorpId
CorporateSignonPassword .sknanb.nettxtName
txtPassword.ccb.aiUsername
Password .fcb-e-bank.comuser
passwd .privatebankslu.comdf_username
df_password .bankofcyprus.comCustomerID
PIN
resolution
browser .bankofcyprus.co.ukid
password .hellenicnetbanking.comSubscriber
password .griffonbank.comLogin
Password .angloconnect.co.imtxtClientNo
txtPIN1
txtPIN2
txtPIN3
txtPIN4
txtPIN5
txtPIN6
txtCodeWord
username
password .closepb.comAuthLogonUser
AuthLogonPWD .royalbank.comK1
Q1
SIP_PVQ_ANS .1stdigibank.comLogin
Password .raiffeisen.atPIN
LOGINBKLZ2 .slsp.skuser_id
pwd
autc
ac .netbanking.atuser_id
password.banking.co.atverfueger
verfuegerName
pin .sparkasse-dueren.deKONTONUMMER.nrsbank.dkuserid
password .cajalaboral.comusuario
password .banquepopulaire.frabonne
passwd
userid
password .finaref.frn_compte
code .bnpparibas.netch1
ch2 .dahsing.comAID
operatore
PWD .bancalombarda.ituserid
password .postbank.nlstrUserID
strPassword .mbank.com.pltxtCustNbr
txtPassword .multibank.pltxtCust
txtPassword proxy-socks.netlogin
pass .deltabank.rulogin
pswd .sebank.seA1
A2 .hsbc.caloginID
password .householdbank.comuserid
password .merrickbank.comSimpleLogin:UserName
SimpleLogin:Password .crosscountrybanking.comuser
pass .easybank.attn
pin .credicard.com.brnumero
senha .americanexpress.comUserID
Password .cim-italia.ituserAdmin
pwdUser
userUtente
userlevis
pwdUtente .bancagenerali.ituserBean.userid
userBean.password .myvirtualcard.comusername
password .unicreditbanca.itusername
autentication .webank.itusername
password .bancaroma.itS_userid
S__password .japannetbank.co.jpTenNo
KozaNo
Pw .alliance-leicester.co.uktxtCustomerID
txtPassnumber .aibgbonline.co.ukpacPosition1
pacPosition2
RegNo
PAC1
PAC2
txtExtraSec .iblogin.comUserId
Password
agreementId1
agreementId2
agreementId3
agreementId4 .bankofscotlandhalifax-online.co.ukUsername
password
answer .berliner-volksbank.desnrMServiceDirekt_Nummer
pinMPIN .commerzbanking.dePltLogin_8_Anmeldename
PltLogin_8_Pin .deutsche-bank.deBranch
AccountNumber
SubAccount
PIN .dresdner-privat.deidentifier.hsh-nordbank.deuserName
passwort .norisbank.dekontonummer
pin .postbank.deaccountNumber
pinNumber .seb.deuserid
pin
tan .bics.frtxt_pseudo
txt_motDePasse .caixabank.frID
PIN .creditmutuel.fr_cm_user
_cm_pwd .bybank.itusername
password .sella.itUserId
Password .anz.comUSERIDF
PINF .asbbank.co.nzusercode
password .nbnz.co.nzuserid
password .teacherscreditunion.com.auiName
iPassword .westpac.co.nzcustomerId
passwd .bmo.comFBC_Number
FBC_Password .telebank.ruunc
pass
key money.yandex.rulogin
passwd .paymer.comfrmLogin:txtLogin
frmLogin:txtPwd
nav:_ctl0

Check:txtOrderNumber
nav:_ctl0

Check:txtOrderCode .rapida.rutp_pser_numb
tp_pcard_numb
tp_pcardskey_val rupay.comuser_email
user_pass .chronopay.comusername
password fethard.bizlogin
pwd .stormpay.comEmail
Password .telepat.ruCodeCountry
PhoneNumber
PinCode yahoo.comlogin
passwd google.comEmail
Passwd login.passport.netlogin
passwd .unibo.itusername
password .unife.itloginname
password .mail.ruLogin
Domain
Password .hotmail.rulogin
client
passwd yandex.rulogin
passwd

The Trojan will also send information about the operating system version and screen resolution used to the remote malicious user.
The Trojan uses the WNetEnemCachedPasswords undocumented function to harvest all passwords which have been saved to the victim machine, and sends them to the remote malicious user's site.
POP3 User Name
POP3 Server
POP3 Password2
from the following registry entry:
[HKCU\Software\Microsoft\Internet Account Manager\Accounts]
and sends them to the remote malicious user.
In order to transmit harvested information, the Trojan periodically connects to http://http.acid-burn.info/loger.php and transmits the harvested information as HTTP request parameters.
Removal instructions

Use Task Manager to terminate the Trojan process (it may be called scvhost.exe)
Delete the following file: %System%\scvhost.exe
<LI class=large>Delete the following system registry key parameter: [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Internet Explorer Helper="%System%\scvhost.exe"

08-Dec-2006, 03:36 AM	#1 (permalink)
Anilrgowda Administrator Posts: 18,715 Join Date: Jan 2006 Rep Power: 10 IM:	Trojan-Spy.Win32.Banker.asq Technical details This Trojan will steal confidential user data when the user visits certain websites. It is a Windows PE EXE file. The file is 62,476 bytes in size. It is packed using Upack. The unpacked file is approximately 319KB in size. It is written in Borland C++. Installation When launched, the Trojan will copy its executable file as: %System%\scvhost.exe The original Trojan file will then be deleted. In order to ensure that the Trojan is launched automatically each time Windows is restarted, the Trojan registers its executable file in the system registry: [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Internet Explorer Helper" = "%System%\scvhost.exe" Payload The Trojan uses a Browser Helper Object to track user activity within Internet Explorer. The Trojan protocols the following user actions: opening URLs Actions which the user carries out with web form components - tracking the user’s choice of radio buttons, checkboxes, keys pressed, component names. The Trojan sends this information to the remote malicious user’s site. If the user enters information in a text field with one of the names listed below, the information will be sent to the remote malicious user’s site. answercajamadridccpincitibankclaveClaveAcceso_scli entecodigoD1D33Documento_sfirmafirmaFirma1identifi cakeylogonIDmemorableNumeroCliente_sNumeroUsuario_ sparolpasspassphrasepasswdpasswdpasswd2passwordPas swordpasswordpaswpinpin2pwdpwd2secretsecursecurese gurserviciotantan2TipoId_suseridusername On web sites with addresses which contain the strings listed below (left hand column) the Trojan gets the information from the fields listed below (right hand column) and sends this information to the remote malicious user’s site. Address contains:Name of fieldbbvanetUsertext Password pw2 username2 nombre tripletaBancopopularBancopopular PAN_IN contras_IN UserName Password ATHPIN PinBancajaPan PinCaixapenedesefUsuario efPasswordCaixasabadellUsuario pinsantandercentralhispanoUsuario Indicador empresa_grupo empresa_usuario clave empresa_clavecaixatarragonaUsuari HB_PSW_FINAL_CONEX2ruralviaUSUARIO PASS FIRMAcajasurPAN PIN1ibercajadirectoCodidentific PIN ClavefirmaebankinterUsername Password txtMascarabanestoOpnumerocod Oppasswd OpusuariocaixaebankingEMPRESA CONTRATO COD_ACESSOhsbc.com.auPBN passwordlloydstsb.co.ukUserId1 Password ResponseKey0 ResponseKey1 ResponseKey2 ResponseValue0 ResponseValue1 ResponseValue2.e-gold.comAccountID PassPhrase.banking.uboc.comUserID pinNumber.etrade.comUSER PASSWORD.bnyonline.comUSERID PASSWORD.tdcommercialbanking.comlang ConnectID connectIdDescription password.bankcolonial.comUsername Password.harrisbank.comUsername Password.wamu.comtxtUserID pwdPassword.firsthorizon.comDetectDemoMode.UserNam e DetectDemoMode.Password.firstmeritib.comctlLogin1: txtUsername ctlLogin1:txtPassword.flagstarbanking2.comuserNumb er password.frostbank.comuserName password.hibernia.comUser Pin.hcsbonline.comuserNumber password.huntington.comUSER PIN.mandtbank.comtxtUserID txtPasscode.mbnausername password.secure-banking.comv1 v2 v3.ibanking-services.comuserid password.midamericabank.comusername password.nationalcity.comUserName Password.navyfcu.orgcomboLogonNumber userid passwrd.ncsecu.orgHeader1:SignOn1:txtUserID Header1:SignOn1:txtPassword userid password.mynfbonline.comtbCustomer_ID tbPassword.ohiosavings.comUserID Password.oldnational.comuser PIN.peoples.comprofilename profilepassword.rbccentura.comK1 Q1.regionsbank.comj_username j_password.statefarm.comuserID password.tcfbank.comj_username j_password.tdbanknorth.comtextfield textfield2 .thirdfederalonline.comuserNumber password.openbank.comj_username j_password companyID.vbankworks.comUserName Password.websterbank.comusername password.whitneybank.comaccessCode pinx.wilmingtontrust.comuserid password.worldsavings.comUserName Password.zionsbank.comj_username j_passwordtarjetapin Coordenada.commbank.com.auUSER_LOGON_NAME PASSWORD.dab-bank.comauthentificationnumberLogin pinLogin.ebank.hsbc.com.hkLogonID Pin PIN.barclays.co.ukmembershipNo passCode surname firstMDC secondMDC.national.com.auuserid passwordnbd.aeloginName password pin.allianz.deuserId password.smile.co.uksortCode accountNumber visaCardNumber passNumber.westpac.com.auusername pwd.abbeynational.co.ukID PASSCODE ERN inputuserid inputmemorableAddress sec_id.cajamar.esNUME PASSWORD.cbdonline.aetxtUserCode txtPassword.ccm.esCLIENTE PIN.co-operativebank.co.uksortCode accountNumber visaCardNumber passNumber.samba.comusername password.unb.comCustID Password.unicaja.esuser pwd oper.hangseng.comlang_version u_LogonID DOSI Pin.bankone.combolAccessId bolPassword.bankofamerica.comid pc .chase.comusr_name_input usr_password_input .rfh.org.uktxtLogin txtPassword .wachovia.comuserid password .aibgbonline.co.ukRegNo PAC1 PAC2 .rbttnetbank.comLogin Password WhichBrowser ValidationReq .bfc-ag.comidentifiant motpasse .firstcaribbeanbank.comfldLoginUserId fldPassword fldLangId .ncbelink.comCorporateSignonCorpId CorporateSignonPassword .sknanb.nettxtName txtPassword.ccb.aiUsername Password .fcb-e-bank.comuser passwd .privatebankslu.comdf_username df_password .bankofcyprus.comCustomerID PIN resolution browser .bankofcyprus.co.ukid password .hellenicnetbanking.comSubscriber password .griffonbank.comLogin Password .angloconnect.co.imtxtClientNo txtPIN1 txtPIN2 txtPIN3 txtPIN4 txtPIN5 txtPIN6 txtCodeWord username password .closepb.comAuthLogonUser AuthLogonPWD .royalbank.comK1 Q1 SIP_PVQ_ANS .1stdigibank.comLogin Password .raiffeisen.atPIN LOGINBKLZ2 .slsp.skuser_id pwd autc ac .netbanking.atuser_id password.banking.co.atverfueger verfuegerName pin .sparkasse-dueren.deKONTONUMMER.nrsbank.dkuserid password .cajalaboral.comusuario password .banquepopulaire.frabonne passwd userid password .finaref.frn_compte code .bnpparibas.netch1 ch2 .dahsing.comAID operatore PWD .bancalombarda.ituserid password .postbank.nlstrUserID strPassword .mbank.com.pltxtCustNbr txtPassword .multibank.pltxtCust txtPassword proxy-socks.netlogin pass .deltabank.rulogin pswd .sebank.seA1 A2 .hsbc.caloginID password .householdbank.comuserid password .merrickbank.comSimpleLogin:UserName SimpleLogin:Password .crosscountrybanking.comuser pass .easybank.attn pin .credicard.com.brnumero senha .americanexpress.comUserID Password .cim-italia.ituserAdmin pwdUser userUtente userlevis pwdUtente .bancagenerali.ituserBean.userid userBean.password .myvirtualcard.comusername password .unicreditbanca.itusername autentication .webank.itusername password .bancaroma.itS_userid S__password .japannetbank.co.jpTenNo KozaNo Pw .alliance-leicester.co.uktxtCustomerID txtPassnumber .aibgbonline.co.ukpacPosition1 pacPosition2 RegNo PAC1 PAC2 txtExtraSec .iblogin.comUserId Password agreementId1 agreementId2 agreementId3 agreementId4 .bankofscotlandhalifax-online.co.ukUsername password answer .berliner-volksbank.desnrMServiceDirekt_Nummer pinMPIN .commerzbanking.dePltLogin_8_Anmeldename PltLogin_8_Pin .deutsche-bank.deBranch AccountNumber SubAccount PIN .dresdner-privat.deidentifier.hsh-nordbank.deuserName passwort .norisbank.dekontonummer pin .postbank.deaccountNumber pinNumber .seb.deuserid pin tan .bics.frtxt_pseudo txt_motDePasse .caixabank.frID PIN .creditmutuel.fr_cm_user _cm_pwd .bybank.itusername password .sella.itUserId Password .anz.comUSERIDF PINF .asbbank.co.nzusercode password .nbnz.co.nzuserid password .teacherscreditunion.com.auiName iPassword .westpac.co.nzcustomerId passwd .bmo.comFBC_Number FBC_Password .telebank.ruunc pass key money.yandex.rulogin passwd .paymer.comfrmLogin:txtLogin frmLogin:txtPwd nav:_ctl0Check:txtOrderNumber nav:_ctl0Check:txtOrderCode .rapida.rutp_pser_numb tp_pcard_numb tp_pcardskey_val rupay.comuser_email user_pass .chronopay.comusername password fethard.bizlogin pwd .stormpay.comEmail Password .telepat.ruCodeCountry PhoneNumber PinCode yahoo.comlogin passwd google.comEmail Passwd login.passport.netlogin passwd .unibo.itusername password .unife.itloginname password .mail.ruLogin Domain Password .hotmail.rulogin client passwd yandex.rulogin passwd The Trojan will also send information about the operating system version and screen resolution used to the remote malicious user. The Trojan uses the WNetEnemCachedPasswords undocumented function to harvest all passwords which have been saved to the victim machine, and sends them to the remote malicious user's site. POP3 User Name POP3 Server POP3 Password2 from the following registry entry: [HKCU\Software\Microsoft\Internet Account Manager\Accounts] and sends them to the remote malicious user. In order to transmit harvested information, the Trojan periodically connects to http://http.acid-burn.info/loger.php and transmits the harvested information as HTTP request parameters. Removal instructions Use Task Manager to terminate the Trojan process (it may be called scvhost.exe) Delete the following file: %System%\scvhost.exe <LI class=large>Delete the following system registry key parameter: [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] Internet Explorer Helper="%System%\scvhost.exe"

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
As Trans Win32 Dll 1.1	Cybershot	Application Downloads	0	28-Feb-2008 01:41 AM
As Fan Win32 Dll 2.1	Cybershot	Application Downloads	0	28-Feb-2008 01:00 AM
Win32/Stration.ADY	Anilrgowda	Security News	0	13-Jul-2007 04:36 AM
Trojan.Win32.ImSoft	Anilrgowda	Security News	0	08-Dec-2006 03:35 AM
Trojan.Win32.Qhost.hq	Anilrgowda	Security News	0	08-Dec-2006 03:34 AM

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)