Home / malware TrojanProxy:JS/Banker.K
First posted on 23 February 2012.
Source: MicrosoftAliases :
There are no other names known for TrojanProxy:JS/Banker.K.
Explanation :
TrojanProxy:JS/Banker.K is a JavaScript trojan that runs as a proxy automatic configuration script to intercept communication between an infected computer and certain online banking websites, resulting in the possible theft of logon credentials or other sensitive information.
Top
TrojanProxy:JS/Banker.K is a JavaScript trojan that runs as a proxy automatic configuration script to intercept communication between an infected computer and certain online banking websites, resulting in the possible theft of logon credentials or other sensitive information.
Installation
TrojanProxy:JS/Banker.K is installed by other malware as a automatic proxy configuration script.
Payload
Steals sensitive information
TrojanProxy:JS/Banker.K monitors user access of the following sites in its effort to steal logon credentials and other sensitive information:
- www.bradesco.com.br
- bradesco.com.br
- www.bancobradesco.com.br
- bancobradesco.com.br
- www.real.com.br
- real.com.br
- www.bancoreal.com.br
- bancoreal.com.br
- www.santander.com.br
- santander.com.br
- www.banespa.com.br
- banespa.com.br
- www.bancosantander.com.br
- www.santanderempresarial.com.br
- santanderempresarial.com.br
- www.hotmail.com
- hotmail.com
- www.hotmail.com.br
- hotmail.com.br
- www.msn.com
- msn.com
- www.sicredi.com.br
- sicredi.com.br
- www.hsbc.com.br
- hsbc.com.br
- www.hsbcpremier.com.br
- hsbcpremier.com.br
If traffic is detected to any of the above listed sites, the trojan redirects the traffic request through a proxy server with an IP address of 74.50.110.214 using TCP port 80. This could result in the possible theft of logon credentials or other sensitive information.
Analysis by Hyun Choi
Last update 23 February 2012
