Home / malwarePDF  

TrojanSpy:Win32/Banker.VCE


First posted on 15 September 2012.
Source: Microsoft

Aliases :

TrojanSpy:Win32/Banker.VCE is also known as Trojan-Downloader.Win32.Banload.bwhi (Kaspersky), W32/Banload.BYYL (Norman), Trojan.DL.Banload!aizSDyVb75A (VirusBuster), Trojan horse Downloader.Banload.BZIU (AVG), Win32/Spy.Banker.YCM trojan (ESET), PWS-Banker!h2e (McAfee), Infostealer.Bancos (Symantec).

Explanation :



TrojanSpy:Win32/Banker.VCE is a malicious trojan component installed by other malware. Win32/Banker is a family of data-stealing trojans. When Win32/Banker is installed on a computer, it can capture banking credentials such as account numbers and passwords from the user. It can then send the captured information to the attacker by various means.



Installation

TrojanSpy:Win32/Banker.VCE may have the file name "modcda.cpl" or "syscda.cpl". It creates the following registry entry so that it automatically runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "JavaUpdateIsa"
With data: "modcda.cpl"
or Sets value: "Systema"
With data: "syscda.cpl"

It checks if the following folder exists:

C:\programsystem\

If it does, it runs the system processes "explorer.exe" and "iexplore.exe".



Payload

Connects to remote servers

TrojanSpy:Win32/Banker.VCE may connect to the following servers to report its presence, download other malware, and get instructions to perform other actions in your computer:

  • parceria.in
  • pega001.thaieasydns.com
  • parceria1.in


Steal sensitive information

TrojanSpy:Win32/Banker.VCE may steal sensitive information, such as user names, passwords, and browser session IDs, and report them to a remote attacker. It does this by monitoring web traffic from sites containing the following strings in their URLs:

  • facebook
  • gmail
  • google
  • hotmail
  • orkut
  • twitter
  • webmail


It may also steal information from the following websites:

  • book.tam.com.br
  • central.hostmidia.com.br
  • compre2.voegol.com.br
  • divulgafacil.terra.com.br
  • hotmail.com
  • kmdevantagens.com.br
  • locaweb.com.br
  • login.live.com
  • metaweb.com.br
  • negocios.ig.com.br
  • painel.hostnet.com.br
  • painel.kinghost.net
  • painel.mobimail
  • painel.redehost.com.br
  • portal.multiplusfidelidade.com.br
  • tam.com
  • terraempresas.com.br
  • uolhost.com.br


Acts as a proxy

TrojanSpy:Win32/Banker.VCE may cause your computer to act as a proxy server, relaying network traffic to and from other computers of its own choosing.



Analysis by Patrik Vicol

Last update 15 September 2012

 

TOP