Virus Detail

Win32.Banker.B

Date Published:
11 Jun 2004

Last Updated:
3 Nov 2004

Threat Assessment

Overall Risk: Very Low

Wild: Low

Destructiveness: Medium

Pervasiveness: None

Characteristics

Type : Trojan

Category : Win32

Also known as: PWS-Banker (McAfee), Win32.PSW.Banker.B, Win32/PWS.Banker.Trojan, TrojanDownloader.Win32.Small.kn (Kaspersky)

Immediate Protection Info

Signature	Product	Removal Instructions
23.65.25	eTrust Antivirus v7/8* (InoculateIT Engine)	View
11.x/8365	eTrust Antivirus v7/8* (Vet Engine)	View
6.1x/5489	eTrust EZ Antivirus 6.1x	View
6.2x/8365	eTrust EZ Antivirus 6.2x	View
47.40	Inoculan/InoculateIT 4.x	View
10.5x/5489	Vet Anti-Virus 10.5x	View
10.6x/8365	Vet Anti-Virus 10.6x	View

Tools

Signature file information

Scan for viruses

Submit a Virus Sample

Description

Method of Infection

Payload

For additional information:

Description

Win32.Banker.B is a trojan that appears to have been intended by its author to steal confidential financial information and send it to the trojan's controller. In our laboratory tests, this failed to function. It also contains limited backdoor functionality and can download and execute arbitrary files.

Method of Infection

This trojan originally consists of an executable that drops a DLL and a driver file (the driver is used to hide running processes as instructed by the DLL).This trojan is similar in function to Win32.A311.

The executable file uses an installer icon.

When run, the main executable creates the following files in the %System% directory:

lds_f3.dll
iesprt.sys

The creation date of these files is set to match the date of the system file, KERNEL32.DLL to help mask their recent creation.

It then creates the following registry values:

HKLM\System\CurrentControlSet\Control\MPRServices\TestService\Dllname="lsd_f3.dll"
HKLM\System\CurrentControlSet\Control\MPRServices\TestService\EntryPoint="LSD_F3"
HKLM\System\CurrentControlSet\Control\MPRServices\TestService\StackSize=0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\f3dsl\DllName="lsd_f3.dll"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\f3dsl\Startup="LSD_F3"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\f3dsl\Impersonate=1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\f3dsl\Asynchronous=1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\f3dsl\MaxWait=1

After the DLL is installed, the trojan activates the DLL by launching the system application "MPREXE.EXE"; described as "WIN32 Network Interface Service Process". This application comes with Windows 9x installations. As MPREXE.EXE is loaded automatically when Windows starts, the trojan is also executed.

Note: Because of the need for 'MPREXE.EXE', the trojan will not function on Windows NT based machines (this includes XP and 2000). It also causes major system errors in Windows XP, causing it to continually restart. This is presumably a consequence of the way in which the driver attempts to hide processes.

The trojan also creates the atom LOH to ensure that only one copy of the trojan is running at any time on an affected machine.

Payload

Keylogging (Intended)

The DLL is intended to scan the Title bar of open windows for any mention of banks or money, and then log any information contained in the window. It then contacts a site with the information obtained and an authorisation string. However, in our laboratory tests this failed to function.