Home / malware TrojanSpy:Win32/Banker.PW
First posted on 18 May 2010.
Source: SecurityHomeAliases :
TrojanSpy:Win32/Banker.PW is also known as Win-Troja/Genome.116224.G (AhnLab), TR/ATRAPS.Gen (Avira), Trojan.Touch.275 (Dr.Web), Trojan-Downloader.Win32.Genome.akfz (Kaspersky), Downloader-ACH (McAfee), DLoader.AHJIE (Norman), PE_DLOADER.AABC (Trend Micro).
Explanation :
TrojanSpy:Win32/Banker.PW is a trojan that attempts to download other Win32/Banker trojan variants. Win32/Banker is a trojan that captures logon credentials for user accounts of certain online banking Web sites.
Top
TrojanSpy:Win32/Banker.PW is a trojan that attempts to download other Win32/Banker trojan variants. Win32/Banker is a trojan that captures logon credentials for user accounts of certain online banking Web sites. InstallationTrojanSpy:Win32/Banker.PW may be downloaded and run by other malware. One observed source for this trojan was a server with an IP address 64.62.181.43. Payload Downloads arbitrary filesWhen run, TrojanSpy:Win32/Banker.PW displays a message with the following text in Portuguese: Erro ao abrir arquivo ou pasta Não é possÃvel abrir arquivo. O arquivo ou pasta está corrompido e ilegÃvel. The above message suggests that it is not possible to open the file due to corruption or the file being unreadable. The trojan then attempts to download files from the domain "poderosa10.gratix.com" as the following: C:\Arquivos de programas\DirectX.exe C:\Arquivos de programas\reseta.exe At the time of this writing, the files were not available for analysis.
Analysis by Patrik VicolLast update 18 May 2010
