Description of Trojan-Banker.Win32.Banz.cri template

They are classified as Trojan-Banker - programs created to steal personal information and data related to online banking, e-commerce and e-payment systems. or payment card . These stolen data will then be forwarded to hackers behind the Trojan control. This form of data transfer can be via email, FTP, website .

The first signs were discovered by Kaspersky on June 9, 2010 at 20:29 GMT, and they began operating the next day, June 10, 2010 - 2:20 GMT, the analysis details. Details were officially posted on June 16, 2010 - 12:17 GMT.

Detailed technical analysis

In essence, they are created to steal personal information, bank account data, online payment systems, e-commerce systems, payment cards, etc., originating in the banking systems. Brazilian goods. They are Windows PE files with EXE extensions, about 942047 bytes and are written in the Delphi programming language.

The first rule of the virus is to automatically activate the same system. With Trojan-Banker.Win32.Banz.cri nothing else, they create the following Registry key:

[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"wscntfx" = "% filepath%"

with% filepath% is the full path of the main activation file. Besides, they also interfere with editing the values ​​of the following Registry key:

[HKÑUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsUser
AgentPost Platform]
"Embedded Web Browser from: http://bsalsa.com/" = ""

Delete the following Registry keys:

[HKEY_CLASSES_ROOTCLSID {2E3C3651-B19C-4DD9-A979-901EC3E930AF}]
[HKEY_CLASSES_ROOTCLSID {3F888695-9B41-4B29-9F44-6B560E464A16}]
[HKEY_CLASSES_ROOTCLSID {9EC30204-384D-11D3-9CA3-00A024F0AF03}]

Payload process

When enabled, they will automatically download the configuration file from:

http://juliana9090v.dominiotemporario.com/configex.txt

And compare with the current state of the victim's computer, and make the appropriate changes. They will then control all active browsers. When a user accesses a specific address, they immediately collect all user-defined information and fill in the forms available on that website. They pay special attention to the following two addresses:

www.bradesco.com.br
https://www2.realsecureweb.com.br

Besides, they also store data and numbers related to their credit cards on different websites. And these data are transferred to the hacker's mailbox address or the email specified in the configuration file - previously downloaded.

They use SMTP servers to send email:

smtp.tutopia.com.br