TrojanSpy:Win32/Banker.OT is a variant of the Win32/Banker family of data stealing trojans. It redirects Web browsing of certain online banking sites and may copy itself to removable drives.
Win32/Banker is a family of data-stealing trojans that captures banking credentials such as account numbers and passwords from computer users. It then relays the captured information to the attacker. Many Win32/Banker variants target customers of Brazilian banks while some variants target customers of other banks. Please see our detailed
TrojanSpy:Win32/Banker family analysis elsewhere in this encyclopedia for additional information.
Installation
When TrojanSpy:Win32/Banker.OT is run, it copies itself as the following:
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\msnmsgr.exe
%windir%\System\msnmsgr.exe
Note: %ALLUSERSPROFILE% refers to a profile directory for all users - for Windows XP that folder is commonly "\Documents and Settings\All Users\". In Windows Vista/7, the folder is "\ProgramData".
The registry is modified to run the trojan at each Windows start.
Adds value: "SysCom"
With data: "%windir%\system\msnmsgr.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Payload
Redirects Web browser
The trojan monitors user's Web site browsing of certain sites and redirects browsers to the following URL based on strings of the visited online banking site:
sub string of visited site - redirect destination
"desco" - <site>/desco/
"uni" - <site>/uni/
"itau" - <site>/itau/
"ncx" - <site>/ncx/
For example, if the user intended to visit the site "bradesco.com.br", the trojan could redirect the Web browser to the site "<site>/desco/", where "<site>" is a specific directory at the domain "ddcinternet.com".
At the time of this writing, the redirected site destinations were unavailable, but could have been a Web landing page awaiting user logon information for the associated online banking site (e.g. a phishing attempt).
Additional information
This trojan has been observed being spread to removable drives with the filename "
msnmsgr.exe". An autorun configuration file named "
autorun.inf" pointing to the copy of the trojan is also written to the same location. When the drive is accessed from a machine supporting the Autorun feature, the trojan is launched automatically. The autorun configuration file "
autorun.inf" is detected as
TrojanSpy:Win32/Banker.OT!inf.
Analysis by Hong Jia
