Threat Descriptions

Trojan-Spy:W32/Banker.GMH

Classification

Category :

Malware

Type :

Trojan-Spy

Platform :

W32

Aliases :

Trojan-Spy.Win32.Banker.gmh

Summary

This Trojan steals banking information and has the capability to update itself.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Upon execution, this malware drops the following file:

  • %windir%\sflash.dll - detected as Trojan-Spy.Win32.Banker.gmh

Note: %windir% is by default, C:\Windows.It checks to see if iexplore.exe is running. If it isn't, it will run IE in the background and will inject the dropped DLL file as a Browser Helper Object.It creates these auto-start registry keys:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run Shockwave Flash = Rundll32.exe sflash.dll,Init
  • HKLM\Software\Classes\CLSID\{32C18258-23D0-41b0-A87D-2672ABFB5366}
  • HKLM\Software\Classes\CLSID\{32C18258-23D0-41b0-A87D-2672ABFB5366}\InprocServer32
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer \Browser Helper Objects\{32C18258-23D0-41b0-A87D-2672ABFB5366}

It downloads the following file:

  • http://69.6.202.56/.fp/[REMOVED].exe - Trojan-Spy:W32/Banker.HYN

It saves the file as %temp%\aol92.exe and executes it. Note: %temp% is normally C:\Documents and Settings\\Local Settings\Temp.This malware monitors the URLs visited by the user. If the visited URL has the following banking-related strings, it will start collecting information:

  • .ub-businessonline.
  • ach-cdc1.theonenet.com
  • amegytreasurymanagement.com
  • banking.calbanktrust.com
  • banking.commercebank.com
  • bankofinternet.com
  • business.ml.com
  • businesse-cashmanager
  • businessonline.blilk.com
  • cashproweb
  • ceowt.wellsfargo.com
  • commercetreasurydirect.com
  • commercial.wachovia.com
  • communityresourcebank.com
  • direct.bankofamerica.com
  • ebanking-services.com
  • ecash.fsbnm.com/cashman/
  • enterprise2.openbank.com
  • firstmutualonline.com
  • itreasury.amsouth.com
  • myib.firstmerchants.com
  • nationalcity.com/corporate
  • nationalcity.com/dashboard
  • onlinencr.com/online/cbandt/business
  • onlinetreasurymanager.
  • secure.republicfederal.com
  • server52.cey-ebanking.com
  • sterlingonline.banksterling.com
  • sterlingonline.banksterling.com
  • svbconnect
  • treasury.pncbank
  • wainwrightbank.com/html/business
  • wc.wachovia.com/
  • wcm71.webcashmgmt.com
  • wcma.businesscenter
  • webbankingforbusiness
  • webcashmanager.com
  • webcashmgmt.com
  • wellsoffice.wellsfargo.com
  • wires.theonenet.com
  • ws.ecorphost.net
  • www.directline4biz.com
  • www.enternetbank.com/ewb/

Stolen information will then be sent to the following link using http POST command:

  • http://203.121.69.232/OOO6/[REMOVED].php