Home / malwarePDF  

TrojanProxy:BAT/Banker.G


First posted on 23 February 2013.
Source: Microsoft

Aliases :

TrojanProxy:BAT/Banker.G is also known as BAT/ProxyChanger.dropper (AVG), Generic.Banker.OT.DE145A13 (BitDefender), Trojan.PWS.Siggen.54691 (Dr.Web), BAT/Spy.Banker.AN trojan (ESET), Virus.BAT.Agent (Ikarus).

Explanation :



Installation

TrojanProxy:BAT/Banker.G may be distributed by a self-extracting file with a name similar to any of the following:

  • FlashPlayerAdobe.exe
  • FlashPlayerUpgrade.exe
  • install_flashplayer11x32ax_aih_win.exe
  • wl-setup.exe


When extracted, it emerges as a BAT file that may have a name similar to any of the following:

  • %Temp%\ok2.bat
  • %Temp%\pronto.bat
  • %Temp%\so.bat
  • %Temp%\source.cmd


Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista, 7 and 8, the default location is "C:\Users\<user name>\AppData\Local\Temp".



Payload

Redirects traffic through a predefined server

If you're visiting a website containing any of the following strings in the URL, TrojanProxy:BAT/Banker.G redirects your session through the proxy server. Two known proxy servers are "www.huhu2013.com.br" and "www.voavoa2013.com.br":

  • american
  • bancodobrasil
  • banese
  • banespa
  • banrisul
  • bb
  • bnb
  • br
  • bradesco
  • caixa
  • cef
  • cetelem
  • citibank
  • com
  • hotmail
  • hsbc
  • infoseg
  • intouch
  • itau
  • linhadefensiva
  • pagseguro
  • paypal
  • real
  • safra
  • santander
  • santanderempresarial
  • securessl
  • serasa
  • sicredi
  • tam.com


TrojanProxy:BAT/Banker.G changes your Internet Explorer proxy server setting by changing the following registry entries:

In subkey:HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "AutoConfigUrl"
With data: "<malware-defined website>"

It also makes the following changes, if you have Firefox installed:

Changes your Firefox proxy server by adding the following lines to the file "prefs.js":
user_pref("network.proxy.autoconfig_url", <malware-defined website>

Changes browser settings

TrojanProxy:BAT/Banker.G makes the following changes, if you have Internet Explorer installed:

Turns off warnings in Internet Explorer for certificates issued by non-trusted authorities:
In subkey: HKU\<user ID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "WarnonBadCertRecving"
With data: "0"

It also disables warnings for content within your Intranet connection by setting the following registry value:
In subkey: HKU\<user ID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "WarnOnIntranet"
With data: "0"

TrojanProxy:BAT/Banker.G adds websites from the domain ".com.br" with the following format in its URL to the Trusted Domains list in Internet Explorer:

  • *.bb
  • *.itau
  • *.hsbc
  • *.bradesco
  • *.santander
  • *.santanderempresarial


Changes Java settings

TrojanProxy:BAT/Banker.G grants all permissions to all applications running Java by adding the following file to the "java.policy" security configuration file:
grant { permission java.security.AllPermission;};



Analysis by Jireh Sanico

Last update 23 February 2013

 

TOP

Malware :

Family: