Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Spy.Banker.UEP

Aliases:Trojan-Banker.Win32.MultiBanker.uf (Kaspersky), W32/Banker2.MZ (F-Prot), PSW.Banker5.BDSQ (AVG) 
Type of infiltration:Trojan  
Size:47616 B 
Affected platforms:Microsoft Windows 
Signature database version:5208 (20100618) 

Short description

Win32/Spy.Banker.UEP is a trojan that steals passwords and other sensitive information. The trojan can send the information to a remote machine. The trojan contains a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:
  • %path%appconf32.exe
The %path% is one of the following strings:
  • %system%
  • %windir%
The trojan creates the following folders:
  • %path%cock
  • %path%xmldm
In order to be executed on every system start, the trojan sets the following Registry entries:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Winlogon]
    "Userinit" = "%existingstring%,%path%appconf32.exe"
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Run]
    "Userinit" = "%path%appconf32.exe"
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    Internet Settings]
    "vendor" = "Old"
    "prd" = "http://yozqnewnacion.com"
    "w8" = %variable%
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    Internet Settingsprh]
    "prh" = "http://yozqnewnacion.com"
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    Internet Settings]
    "vendor" = "Old"
    "prd" = "http://yozqnewnacion.com"
    "w8" = %variable%
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    Internet Settingsprh]
    "prh" = "http://yozqnewnacion.com"
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    Internet Settingstst]
    "tst" = "http://yozqnewnacion.com"
  • [HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer
    Main]
    "NoProtectedModeBanner" = 1
  • [HKEY_LOCAL_MACHINEsoftwareMicrosoftWindowsCurrentVersion
    ExplorerBrowser Helper Objects{F22C37FD-2BCB-40b6-A12E-77DDA1FBDD88}]
    "(Default)" = "Adobe PDF Reader Link Helper"
    "NoExplorer" = 1
  • [HKEY_CLASSES_ROOTlinkrdr.AIEbho]
    "(Default)" = "Adobe PDF Reader Link Helper"
  • [HKEY_CLASSES_ROOTlinkrdr.AIEbho.1]
    "(Default)" = "Adobe PDF Reader Link Helper"
  • [HKEY_CLASSES_ROOTlinkrdr.AIEbhoCLSID]
    "(Default)" = "{F22C37FD-2BCB-40b6-A12E-77DDA1FBDD88}"
  • [HKEY_CLASSES_ROOTlinkrdr.AIEbho.1CLSID]
    "(Default)" = "{F22C37FD-2BCB-40b6-A12E-77DDA1FBDD88}"
  • [HKEY_CLASSES_ROOTlinkrdr.AIEbhoCurVer]
    "(Default)" = "linkrdr.AIEbho.1"
  • [HKEY_CLASSES_ROOTCLSID{F22C37FD-2BCB-40b6-A12E-77DDA1FBDD88}]
    "(Default)" = "Adobe PDF Reader Link Helper"
    "AppID" = "{30FCF052-3649-4543-B924-BA7AB9FACC8A}"
  • [HKEY_CLASSES_ROOTCLSID{F22C37FD-2BCB-40b6-A12E-77DDA1FBDD88}
    InprocServer32]
    "(Default)" = %path%
    "ThreadingModel" = "Apartment"
  • [HKEY_CLASSES_ROOTCLSID{F22C37FD-2BCB-40b6-A12E-77DDA1FBDD88}
    ProgID]
    "(Default)" = "linkrdr.AIEbho.1"
  • [HKEY_CLASSES_ROOTCLSID{F22C37FD-2BCB-40b6-A12E-77DDA1FBDD88}
    Programmable]
    "(Default)" = 2
  • [HKEY_CLASSES_ROOTCLSID{F22C37FD-2BCB-40b6-A12E-77DDA1FBDD88}
    TypeLib]
    "(Default)" = "{D662238E-9BC3-4197-A686-116E687962E8}"
  • [HKEY_CLASSES_ROOTCLSID{F22C37FD-2BCB-40b6-A12E-77DDA1FBDD88}
    VersionIndependentProgID]
    "(Default)" = "linkrdr.AIEbho"
The trojan creates and runs a new thread with its own program code in all running processes except the following:
  • system
  • smss.exe
  • srss.exe
  • lsass.exe
  • csrss.exe
  • services.exe
  • system
  • smss.exe
  • srss.exe
  • lsass.exe
  • csrss.exe
  • services.exe
  • winlogon.exe

Other information

The trojan searches for the following cookie files:
  • *@abmr[*
  • *@us[*
  • *2o7*
  • *53[*
  • *action.mathtag*
  • *adbrite*
  • *@abmr[*
  • *@us[*
  • *2o7*
  • *53[*
  • *action.mathtag*
  • *adbrite*
  • *advanta*
  • *advertising*
  • *aib[*
  • *amagerbanken*
  • *andelskassen*
  • *apmebf*
  • *associatedbank*
  • *atdmt*
  • *bancopopular*
  • *banken*
  • *bankofamerica*
  • *bankofoklahoma*
  • *basisbank*
  • *bbandt*
  • *bbt[*
  • *bbvabancomerusa*
  • *beyond*
  • *bmo[*
  • *bnpparibas*
  • *bridgetrack*
  • *burstnet*
  • *capitalone*
  • *careerbuilder*
  • *careercast*
  • *casalemedia*
  • *chase*
  • *citi.*
  • *citibank*
  • *cnb[*
  • *colonialbank*
  • *comerica*
  • *commercebank*
  • *coremetrics*
  • *danskebank*
  • *db[*
  • *diba[*
  • *dice[*
  • *discovercard*
  • *djs*
  • *djs-netbank*
  • *doubleclick*
  • *ebh-bank*
  • *e-finance*
  • *eloqua*
  • *etrade*
  • *fih[*
  • *fioniabank*
  • *firstbankpr*
  • *firstcitizens*
  • *firsthorizon*
  • *forbank*
  • *froes*
  • *fsb.netminers*
  • *handelsbanken*
  • *HB[*
  • *himmerland*
  • *hitbox*
  • *homebanking*
  • *hsbc*
  • *huntington*
  • *hvidbjergbank*
  • *ic-live*
  • *infotechalliance*
  • *ingdirect*
  • *instadia*
  • *interclick*
  • *jobing*
  • *juniper*
  • *key*
  • *langspar*
  • *lillespar*
  • *liveperson*
  • *lokalbanken*
  • *lokalsparekassen*
  • *lollandsbank*
  • *lpk[*
  • *lsb[*
  • *maxbank*
  • *maxbank*
  • *mibank*
  • *middelfartsparekasse*
  • *midspar*
  • *midtfjord*
  • *moensbank*
  • *monster[*
  • *morsbank*
  • *morsoesparekasse*
  • *mufg*
  • *mynycb*
  • *mystreetscape*
  • *nationalcity*
  • *nationalcitycardservicesonline*
  • *nationalirishbank*
  • *navyfcu*
  • *netminers*
  • *net-temps*
  • *northernbank.co*
  • *northerntrust*
  • *nykredit*
  • *pensam*
  • *peoples*
  • *pnc[*
  • *portal*
  • *prod.bec*
  • *quantserve*
  • *rbcbankusa*
  • *rbs[*
  • *regions*
  • *revsci*
  • *riba[*
  • *ringkjoebing-bank*
  • *roiservice*
  • *roskildebank*
  • *ru4*
  • *sallingbank*
  • *sbbank*
  • *schwab*
  • *scorecardresearch*
  • *searchmarketing*
  • *servlet*
  • *sharethis*
  • *sparbank*
  • *sparekassen*
  • *sparekassenfaaborg*
  • *sparekassenthy*
  • *sparfar*
  • *sparhobro*
  • *sparhvetbo*
  • *sparkron*
  • *sparlolland*
  • *sparnebel*
  • *sparnord*
  • *sparoj*
  • *sparostjyl*
  • *sparsalling*
  • *sparskals*
  • *sparthy*
  • *specificclick*
  • *statistik-gallup*
  • *suntrust*
  • *synovus*
  • *totalbanken*
  • *track.adform*
  • *tribalfusion*
  • *usbank*
  • *vestjyskbank*
  • *vinderupbank*
  • *vorbank*
  • *wachovia*
  • *wamu*
  • *washingtonpost*
  • *websteronline*
  • *webtrendslive*
  • *wellsfargo*
  • *www.al-bank*
  • *xiti[*
  • *yahoo*
  • *yieldmanager*
  • *zedo*
  • *zionsbank*
Only following folders are searched:
  • %cookies%
  • %appdata%MozillaFirefoxProfiles
The trojan obtains the name of the source folder from the following Registry record:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    ExplorerShell Folders]
    "Cookies" = "%cookies%"
The trojan may create copies of the following files (source, destination):
  • %cookies%*.*, %path%cock*.*
  • %cookies%*.*, %path%xmldmnetbanke_%date%_%time%_*.*
  • %appdata%MozillaFirefoxProfiles*.*, %path%cock*.*
  • %appdata%MozillaFirefoxProfiles*.*,
    %path%xmldmnetbanke_%date%_%time%_*.*
The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (1) URLs. The HTTP protocol is used.

It can execute the following operations:
  • download files from a remote computer and/or the Internet
  • run executable files
  • send files to a remote computer
  • update itself to a newer version
  • remove itself from the infected computer
  • steal information from the Windows clipboard
  • download files from a remote computer and/or the Internet
  • run executable files
  • send files to a remote computer
  • update itself to a newer version
  • remove itself from the infected computer
  • steal information from the Windows clipboard
  • capture screenshots
  • log keystrokes
The trojan collects the following information:
  • cookies
  • passwords
  • Internet Explorer version
  • Mozilla Firefox version
  • Mozilla Firefox account information
The trojan can send the information to a remote machine.

The trojan quits immediately if it detects a running process containing one of the following strings in its name:
  • mcvsshld.exe
The trojan may delete the following files:
  • %path%cock*.*
The trojan alters the behavior of the following processes:
  • bdagent.exe
  • avgtray.exe
  • npfuser.exe
  • AVKTray.exe