Threat behavior
Trojan:Win32/Banker.B is a trojan that attempts to disable an online banking security software.
Installation
Trojan:Win32/Banker.B drops itself as the file 'msnmsgr.exe' in the following folders:
- <startup folder>
- %windir%\System
Note - <startup folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.
It creates the following registry entries so that it automatically runs every time Windows starts:
Adds value: "SysCom"
With data: "%windir%\System\msnmsgr.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Payload
Attempts to disable online banking protection
Trojan:Win32/Banker.B creates the following registry entry:
Adds value: "PendingFileRenameOperations"
With data: "\??\C:\WINDOWS\Downloaded Program Files\ !\??\C:\WINDOWS\System32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL"
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
The above registry entry simply renames the 'Downloaded Program Files' folder to 'gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL'. This is an attempt by the trojan author to disable various components of the 'G-Buster Browser Defense' software, which is used by some banks to ensure secure online banking authentication.
Analysis by Andrei Florin Saygo
Prevention
