Trojan-Spy.Win32.Banker.asq
Po uruchomieniu trojan kopiuje sw贸j plik wykonywalny jako:
%System%scvhost.exe
Oryginalny plik trojana jest nast臋pnie usuwany.
Trojan tworzy nast臋puj膮cy wpis w rejestrze systemu, zapewniaj膮c sobie automatyczne uruchamianie si臋 wraz z ka偶dym startem systemu:
"Internet Explorer Helper" = "%System%scvhost.exe"
Trojan wykorzystuje Browser Helper Object w celu 艣ledzenia aktywno艣ci u偶ytkownika w przegl膮darce Internet Explorer.
Trojan rejestruje nast臋puj膮ce czynno艣ci u偶ytkownika:
- otwieranie adres贸w URL
- czynno艣ci, kt贸re u偶ytkownik wykonuje podczas wype艂niania formularzy na stronach WWW - 艣ledzenie wybieranych przez u偶ytkownika przycisk贸w opcji, p贸l wyboru, przyciskanych klawiszy, nazw komponent贸w; trojan przysy艂a te informacje na stron臋 zdalnego z艂o艣liwego u偶ytkownika
- je艣li u偶ytkownik wprowadzi informacje do pola tekstowego o jednej z poni偶szych nazw, zostan膮 one przes艂ane na stron臋 zdalnego z艂o艣liwego u偶ytkownika:
answer cajamadrid ccpin citibank clave ClaveAcceso_s cliente codigo D1 D33 Documento_s firma firma Firma1 identifica key logonID memorable NumeroCliente_s NumeroUsuario_s parol pass passphrase passwd passwd passwd2 password Password password pasw pin pin2 pwd pwd2 secret secur secure segur servicio tan tan2 TipoId_s userid username
Na stronach WWW o adresach zawieraj膮cych poni偶sze ci膮gi (lewa kolumna) trojan uzyskuje informacje z poni偶szych p贸l (prawa kolumna) i przesy艂a je na stron臋 zdalnego z艂o艣liwego u偶ytkownika.
Adres zawiera: | Nazwa pola |
bbvanet | Usertext Password pw2 username2 nombre tripleta |
Bancopopular | Bancopopular PAN_IN contras_IN UserName Password ATHPIN Pin |
Bancaja | Pan Pin |
Caixapenedes | efUsuario efPassword |
Caixasabadell | Usuario pin |
santandercentralhispano | Usuario Indicador empresa_grupo empresa_usuario clave empresa_clave |
caixatarragona | Usuari HB_PSW_FINAL_CONEX2 |
ruralvia | USUARIO PASS FIRMA |
cajasur | PAN PIN1 |
ibercajadirecto | Codidentific PIN Clavefirma |
ebankinter | Username Password txtMascara |
banesto | Opnumerocod Oppasswd Opusuario |
caixaebanking | EMPRESA CONTRATO COD_ACESSO |
hsbc.com.au | PBN password |
lloydstsb.co.uk | UserId1 Password ResponseKey0 ResponseKey1 ResponseKey2 ResponseValue0 ResponseValue1 ResponseValue2 |
.e-gold.com | AccountID PassPhrase |
.banking.uboc.com | UserID pinNumber |
.etrade.com | USER PASSWORD |
.bnyonline.com | USERID PASSWORD |
.tdcommercialbanking.com | lang ConnectID connectIdDescription password |
.bankcolonial.com | Username Password |
.harrisbank.com | Username Password |
.wamu.com | txtUserID pwdPassword |
.firsthorizon.com | DetectDemoMode.UserName DetectDemoMode.Password |
.firstmeritib.com | ctlLogin1:txtUsername ctlLogin1:txtPassword |
.flagstarbanking2.com | userNumber password |
.frostbank.com | userName password |
.hibernia.com | User Pin |
.hcsbonline.com | userNumber password |
.huntington.com | USER PIN |
.mandtbank.com | txtUserID txtPasscode |
.mbna | username password |
.secure-banking.com | v1 v2 v3 |
.ibanking-services.com | userid password |
.midamericabank.com | username password |
.nationalcity.com | UserName Password |
.navyfcu.org | comboLogonNumber userid passwrd |
.ncsecu.org | Header1:SignOn1:txtUserID Header1:SignOn1:txtPassword userid password |
.mynfbonline.com | tbCustomer_ID tbPassword |
.ohiosavings.com | UserID Password |
.oldnational.com | user PIN |
.peoples.com | profilename profilepassword |
.rbccentura.com | K1 Q1 |
.regionsbank.com | j_username j_password |
.statefarm.com | userID password |
.tcfbank.com | j_username j_password |
.tdbanknorth.com | textfield textfield2 |
.thirdfederalonline.com | userNumber password |
.openbank.com | j_username j_password companyID |
.vbankworks.com | UserName Password |
.websterbank.com | username password |
.whitneybank.com | accessCode pinx |
.wilmingtontrust.com | userid password |
.worldsavings.com | UserName Password |
.zionsbank.com | j_username j_password |
tarjeta | pin Coordenada |
.commbank.com.au | USER_LOGON_NAME PASSWORD |
.dab-bank.com | authentificationnumberLogin pinLogin |
.ebank.hsbc.com.hk | LogonID Pin PIN |
.barclays.co.uk | membershipNo passCode surname firstMDC secondMDC |
.national.com.au | userid password |
nbd.ae | loginName password pin |
.allianz.de | userId password |
.smile.co.uk | sortCode accountNumber visaCardNumber passNumber |
.westpac.com.au | username pwd |
.abbeynational.co.uk | ID PASSCODE ERN inputuserid inputmemorableAddress sec_id |
.cajamar.es | NUME PASSWORD |
.cbdonline.ae | txtUserCode txtPassword |
.ccm.es | CLIENTE PIN |
.co-operativebank.co.uk | sortCode accountNumber visaCardNumber passNumber |
.samba.com | username password |
.unb.com | CustID Password |
.unicaja.es | user pwd oper |
.hangseng.com | lang_version u_LogonID DOSI Pin |
.bankone.com | bolAccessId bolPassword |
.bankofamerica.com | id pc |
.chase.com | usr_name_input usr_password_input |
.rfh.org.uk | txtLogin txtPassword |
.wachovia.com | userid password |
.aibgbonline.co.uk | RegNo PAC1 PAC2 |
.rbttnetbank.com | Login Password WhichBrowser ValidationReq |
.bfc-ag.com | identifiant motpasse |
.firstcaribbeanbank.com | fldLoginUserId fldPassword fldLangId |
.ncbelink.com | CorporateSignonCorpId CorporateSignonPassword |
.sknanb.net | txtName txtPassword |
.ccb.ai | Username Password |
.fcb-e-bank.com | user passwd |
.privatebankslu.com | df_username df_password |
.bankofcyprus.com | CustomerID PIN resolution browser |
.bankofcyprus.co.uk | id password |
.hellenicnetbanking.com | Subscriber password |
.griffonbank.com | Login Password |
.angloconnect.co.im | txtClientNo txtPIN1 txtPIN2 txtPIN3 txtPIN4 txtPIN5 txtPIN6 txtCodeWord username password |
.closepb.com | AuthLogonUser AuthLogonPWD |
.royalbank.com | K1 Q1 SIP_PVQ_ANS |
.1stdigibank.com | Login Password |
.raiffeisen.at | PIN LOGINBKLZ2 |
.slsp.sk | user_id pwd autc ac |
.netbanking.at | user_id password |
.banking.co.at | verfueger verfuegerName pin |
.sparkasse-dueren.de | KONTONUMMER |
.nrsbank.dk | userid password |
.cajalaboral.com | usuario password |
.banquepopulaire.fr | abonne passwd userid password |
.finaref.fr | n_compte code |
.bnpparibas.net | ch1 ch2 |
.dahsing.com | AID operatore PWD |
.bancalombarda.it | userid password |
.postbank.nl | strUserID strPassword |
.mbank.com.pl | txtCustNbr txtPassword |
.multibank.pl | txtCust txtPassword |
proxy-socks.net | login pass |
.deltabank.ru | login pswd |
.sebank.se | A1 A2 |
.hsbc.ca | loginID password |
.householdbank.com | userid password |
.merrickbank.com | SimpleLogin:UserName SimpleLogin:Password |
.crosscountrybanking.com | user pass |
.easybank.at | tn pin |
.credicard.com.br | numero senha |
.americanexpress.com | UserID Password |
.cim-italia.it | userAdmin pwdUser userUtente userlevis pwdUtente |
.bancagenerali.it | userBean.userid userBean.password |
.myvirtualcard.com | username password |
.unicreditbanca.it | username autentication |
.webank.it | username password |
.bancaroma.it | S_userid S__password |
.japannetbank.co.jp | TenNo KozaNo Pw |
.alliance-leicester.co.uk | txtCustomerID txtPassnumber |
.aibgbonline.co.uk | pacPosition1 pacPosition2 RegNo PAC1 PAC2 txtExtraSec |
.iblogin.com | UserId Password agreementId1 agreementId2 agreementId3 agreementId4 |
.bankofscotlandhalifax-online.co.uk | Username password answer |
.berliner-volksbank.de | snrMServiceDirekt_Nummer pinMPIN |
.commerzbanking.de | PltLogin_8_Anmeldename PltLogin_8_Pin |
.deutsche-bank.de | Branch AccountNumber SubAccount PIN |
.dresdner-privat.de | identifier |
.hsh-nordbank.de | userName passwort |
.norisbank.de | kontonummer pin |
.postbank.de | accountNumber pinNumber |
.seb.de | userid pin tan |
.bics.fr | txt_pseudo txt_motDePasse |
.caixabank.fr | ID PIN |
.creditmutuel.fr | _cm_user _cm_pwd |
.bybank.it | username password |
.sella.it | UserId Password |
.anz.com | USERIDF PINF |
.asbbank.co.nz | usercode password |
.nbnz.co.nz | userid password |
.teacherscreditunion.com.au | iName iPassword |
.westpac.co.nz | customerId passwd |
.bmo.com | FBC_Number FBC_Password |
.telebank.ru | unc pass key |
money.yandex.ru | login passwd |
.paymer.com | frmLogin:txtLogin frmLogin:txtPwd nav:_ctl0:pCheck:txtOrderNumber nav:_ctl0:pCheck:txtOrderCode |
.rapida.ru | tp_pser_numb tp_pcard_numb tp_pcardskey_val |
rupay.com | user_email user_pass |
.chronopay.com | username password |
fethard.biz | login pwd |
.stormpay.com | Email Password |
.telepat.ru | CodeCountry PhoneNumber PinCode |
yahoo.com | login passwd |
google.com | Email Passwd |
login.passport.net | login passwd |
.unibo.it | username password |
.unife.it | loginname password |
.mail.ru | Login Domain Password |
.hotmail.ru | login client passwd |
yandex.ru | login passwd |
Trojan wysy艂a r贸wnie偶 informacje o wersji systemu operacyjnego i rozdzielczo艣ci ekranu zdalnemu z艂o艣liwemu u偶ytkownikowi.
Trojan wykorzystuje nieudokumentowan膮 funkcj臋 WNetEnemCachedPasswords w celu zebrania wszystkich hase艂, kt贸re zosta艂y zapisane na komputerze ofiary, i wysy艂a je na stron臋 zdalnego z艂o艣liwego u偶ytkownika.
W celu przes艂ania zebranych informacji trojan okresowo 艂膮czy si臋 ze stron膮 http://http.acid-burn.info/loger.php i przesy艂a informacje w postaci parametr贸w 偶膮dania HTTP.
W celu usuni臋cia szkodnika z zainfekowanego systemu nale偶y wykona膰 nast臋puj膮ce czynno艣ci:
- U偶y膰 Mened偶era zada艅 w celu zako艅czenia procesu trojana
- Usun膮膰 nast臋puij膮cy plik:
%System%scvhost.exe
- Usun膮膰 nast臋puj膮cy parametr klucza rejestru:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
Internet Explorer Helper="%System%scvhost.exe" - Uaktualni膰 sygnatury zagro偶e艅 i wykona膰 pe艂ne skanowanie komputera (w tym celu mo偶na skorzysta膰 z darmowej wersji testowej oprogramowania Kaspersky Anti-Virus)