This malware drops the following files:

• %windir%system32helper.sys - normal XML file that contains online
  transaction information
• %windir%system32coman.dll - Trojan-Spy.Win32.Banker.cpv
• %windir%system32cookie.dat - log file
• %windir%system32ps.dat - log file
• %windir%system32alog.txt - log file
• %windir%system32commands.xml - normal xml file from the its download link

It also installs its component as a Browser Helper Object so that every time that Internet Explorer is running, this malware also runs.

• HKLMSoftwareHelper
• HKLMSoftwareMicrosoftWindowsCurrentVersionExplorer
  Browser Helper Objects{327C3AF0-4EF6-4f8a-9A8D-685A4815D9F8}
• HKLMSoftwareClassesCLSID{327C3AF0-4EF6-4f8a-9A8D-685A4815D9F8}
• HKLMSoftwareClassesCLSID{327C3AF0-4EF6-4f8a-9A8D-685A4815D9F8}InprocServer32
• HKLMSoftwareClassesCLSID{327C3AF0-4EF6-4f8a-9A8D-685A4815D9F8}ProgID
• HKLMSoftwareClassesCLSID{327C3AF0-4EF6-4f8a-9A8D-685A4815D9F8}TypeLib

This malware steals bank-related informations as well as passwords. It also has keylogging capability. It checks the sites that the infected user is visiting and compares it to the following bank-related strings:

• akbank.com.tr
• bankofamerica
• commbank.com.au/netbank/bankmain
• erheit.sparkasse-hannover.de
• ingportal.sparkasse-minden-luebbecke.de
• gad.de
• dserver.pipex.com/nationwide/
• netteller
• rbsdigital.com
• erage.bankingonline.de
• www.yapikredi.com.tr

It can also steal information such as:

• Outlook Express Password
• Deleted Outlook Express Account password
• Outlook password
• Deleted Outlook Account password
• MSN Explorer signup password
• IE auto-complete passwords
• IE auto-complete field

Here is a sample log file:




It sends a POST command to the following site to send all the stolen information from the infected machine:

• http://raspart2007.info/[removed].php
• http://raspart2007.info/[removed].php

Last update 01 June 2007

 

TOP