Home
Tech info
Technology
Science
Life
Application
Electric
Program
Mobile
Windows 10
Windows 11Description of Trojan-Banker.Win32.Banz.cri template
They are classified as Trojan-Banker - programs created to steal personal information and data related to online banking, e-commerce and e-payment systems. or payment card . These stolen data will then be forwarded to hackers behind the Trojan control. This form of data transfer can be via email, FTP, website .
The first signs were discovered by Kaspersky on June 9, 2010 at 20:29 GMT, and they began operating the next day, June 10, 2010 - 2:20 GMT, the analysis details. Details were officially posted on June 16, 2010 - 12:17 GMT.
Detailed technical analysis
In essence, they are created to steal personal information, bank account data, online payment systems, e-commerce systems, payment cards, etc., originating in the banking systems. Brazilian goods. They are Windows PE files with EXE extensions, about 942047 bytes and are written in the Delphi programming language.
The first rule of the virus is to automatically activate the same system. With Trojan-Banker.Win32.Banz.cri nothing else, they create the following Registry key:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"wscntfx" = "% filepath%"
with% filepath% is the full path of the main activation file. Besides, they also interfere with editing the values of the following Registry key:
[HKÑUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsUser
AgentPost Platform]
"Embedded Web Browser from: http://bsalsa.com/" = ""
Delete the following Registry keys:
[HKEY_CLASSES_ROOTCLSID {2E3C3651-B19C-4DD9-A979-901EC3E930AF}]
[HKEY_CLASSES_ROOTCLSID {3F888695-9B41-4B29-9F44-6B560E464A16}]
[HKEY_CLASSES_ROOTCLSID {9EC30204-384D-11D3-9CA3-00A024F0AF03}]
Payload process
When enabled, they will automatically download the configuration file from:
http://juliana9090v.dominiotemporario.com/configex.txt
And compare with the current state of the victim's computer, and make the appropriate changes. They will then control all active browsers. When a user accesses a specific address, they immediately collect all user-defined information and fill in the forms available on that website. They pay special attention to the following two addresses:
www.bradesco.com.br
https://www2.realsecureweb.com.br
Besides, they also store data and numbers related to their credit cards on different websites. And these data are transferred to the hacker's mailbox address or the email specified in the configuration file - previously downloaded.
They use SMTP servers to send email:
smtp.tutopia.com.br
Micah SotoYou should read it
- Description of template Trojan-PSW.Win32.Qbot.mk
- Description of template Trojan.Win32.Oficla.w
- Trojan-PSW.Win32.OnLineGames.rlh
- Trojan-Downloader_Win32_Agent.nmi
- Kaspersky's free support security utilities
- Trojan-Dropper.Win32.Agent.albv
- Trojan-Downloader.Win32.Agent.mee
- Instructions to remove Safesoft Trojan (WIN32.Zafi.B virus)
- What is Trojan Dropper?
- Learn about the Trojan.Win32.FraudPack.bkhe template
- Vietnam ranked 8th in the rate of virus infection
- Hidden Trojan alerts in MP3 music files
Maybe you are interested
How to get data from web into Excel
What information does a VPN hide? How does it protect your data?
How to transfer data between 2 Google Drive accounts
6 Data Collecting Apps You Need to Delete for Better Privacy
How to master numerical data in Google Sheets with the AVERAGE function
How to delete white space in a table in Word - Appears right below the data
Description of template Trojan.Win32.Oficla.w
Virus spread through Yahoo! Messenger back
Virus alerts call for downloading sex videos in email
People infected with computer viruses!
Germany: Buy Samsung Wave to be 'promoted' malicious code
Pornographic websites are 'malicious code'