Trojan-Spy:W32/Banker.CPV

This malware drops the following files:

• %windir%\system32\helper.sys - normal XML file that contains online transaction information
• %windir%\system32\coman.dll - Trojan-Spy.Win32.Banker.cpv
• %windir%\system32\cookie.dat - log file
• %windir%\system32\ps.dat - log file
• %windir%\system32\alog.txt - log file
• %windir%\system32\commands.xml - normal xml file from the its download link

It also installs its component as a Browser Helper Object so that every time that Internet Explorer is running, this malware also runs.

• HKLM\Software\Helper
• HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer \Browser Helper Objects\{327C3AF0-4EF6-4f8a-9A8D-685A4815D9F8}
• HKLM\Software\Classes\CLSID\{327C3AF0-4EF6-4f8a-9A8D-685A4815D9F8}
• HKLM\Software\Classes\CLSID\{327C3AF0-4EF6-4f8a-9A8D-685A4815D9F8}\InprocServer32
• HKLM\Software\Classes\CLSID\{327C3AF0-4EF6-4f8a-9A8D-685A4815D9F8}\ProgID
• HKLM\Software\Classes\CLSID\{327C3AF0-4EF6-4f8a-9A8D-685A4815D9F8}\TypeLib

This malware steals bank-related informations as well as passwords. It also has keylogging capability. It checks the sites that the infected user is visiting and compares it to the following bank-related strings:

• akbank.com.tr
• bankofamerica
• commbank.com.au/netbank/bankmain
• erheit.sparkasse-hannover.de
• ingportal.sparkasse-minden-luebbecke.de
• gad.de
• dserver.pipex.com/nationwide/
• netteller
• rbsdigital.com
• erage.bankingonline.de
• www.yapikredi.com.tr

It can also steal information such as:

• Outlook Express Password
• Deleted Outlook Express Account password
• Outlook password
• Deleted Outlook Account password
• MSN Explorer signup password
• IE auto-complete passwords
• IE auto-complete field

Here is a sample log file:

It sends a POST command to the following site to send all the stolen information from the infected machine:

• http://raspart2007.info/[removed].php
• http://raspart2007.info/[removed].php