We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names

Published Nov 19, 2013 | Updated Jul 13, 2017

Learn about other threats

Win32/Gamker

Detected by Microsoft Defender Antivirus

Aliases: Trojan/Win32.Shiz (AhnLab) TR/Spy.Shiz.NCM (Avira) Trojan.PWS.Ibank.751 (Dr.Web) Win32/Spy.Shiz.NCM trojan (ESET) W32/Dofoil.QTZ!tr (Fortinet) Trojan-Spy.Zbot (Ikarus) Trojan-Spy.Win32.Agent.cjgt (Kaspersky) PWS-FBKW!C9197F34D616 (McAfee) BKDR_SHIZ.TO (Trend Micro)

Summary

Windows Defender detects and removes this threat.

This family of trojans aims to steal financial information, SAP information, BitCoin wallets, and other sensitive information from an infected PC.It can also let a hacker to do other malicious actions on your PC and network.

The following free Microsoft software detects and removes this threat:

Microsoft Security Essentials or, for Windows 8, Windows Defender
Microsoft Safety Scanner

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community for more help.

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

What to do if you are a victim of fraud

You should change your passwords after you've removed this threat:

Create strong passwords

Threat behavior

Installation

Win32/Gamker installs itself in your PC using one of these file names:

%ALLUSERSPROFILE%\Application Data\<random lowercase letters>.exe
%ALLUSERSPROFILE%\Application Data\<random lowercase letters>32.exe
%ALLUSERSPROFILE%\Application Data\<random lowercase letters>64.exe
%ALLUSERSPROFILE%\Application Data\explorer.exe.exe
%TEMP%\cryptbase.dll
%USERPROFILE%\winsat.exe

<random lowercase letters> varies depending on the version of Gamker that you have, but is typically 5 or 7 lowercase letters. For example, some names Win32/Gamker has used include:

pyzidyb.exe
pijulis32.exe
mezyfil64.exe

To make sure it automatically runs every time you start your PC, it creates a scheduled job:

%windir%\Tasks\nVidiaBootAgent32.job

It also changes this registry entry so that it runs every time you log onto Windows:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Sets value: "Userinit"
With data: "<original value>,<malware path>"

Payload

Records your keystrokes

Gamker records your keystrokes for all applications. Keystrokes are recorded in a randomly-named file in %AppData%.

An example of recorded keystroke information is shown below:

Application Data

Takes screenshots

If Gamker detects that a certain program is running, it records ten screenshots of that program, with each screenshot taken at one second intervals.

An example of screenshot captures is shown below:

Screenshots taken by Gamker

Records command-line arguments

Gamker records command-line arguments run by your programs. It then saves these commands to the file:

%APPDATA%\<random lowercase letters>\cmdline.txt

An example of command-line arguments saved is shown below:

cmdline.txt

Sends stolen information to a hacker

The screenshots, keylogs, and command-line arguments, are sent to a command-and-control (C&C) server controlled by a hacker.

The programs and applications that Gamker tries to steal information from include those that fall under these categories:

Online banking apps
Internal banking tools
SAP programs
Bitcoin wallets
Cryptography tools
Signing keys
FTP, POP3, and Squirrel apps

The complete list of applications that it takes screenshots of is below (note that this list is current as of publication date, and can be changed by the malware authors at any time):

Executable name	Category assigned by malware author	Description
AdClient.exe	Etc	Unknown
ARM\\ARM.exe	Etc	Unknown
ASBANK_LITE.exe	Etc	Unknown
avn_cc.exe	Etc	Unknown
BANK32.exe	Etc	Unknown
bankcl.exe	Etc	Unknown
bb.exe	Etc	Unknown
bb24.exe	PSHEK	Unknown
BBCLIENT.exe	Etc	Unknown
BBMS.exe	Etc	Unknown
BC_Loader.exe	Etc	Unknown
BCLIENT.exe	Etc	Unknown
bcmain.exe	BANKATCASH	Unknown
bestcrypt.exe	CRYPT	Tool used to manage BestCrypt protected filesystems
bit4pin.exe	IT	Unknown
bitcoin-qt.exe	Etc	Unknown
bk.exe	Etc	Unknown
Bk_kw32.exe	Etc	Unknown
BUDGET.exe	Etc	Unknown
cb193w.exe	Etc	Unknown
Ceedo.exe	IT	Unknown
CeedoRT.exe	IT	Unknown
CLB.exe	Etc	Unknown
CLBank.exe	Etc	Unknown
clcard.exe	Etc	Unknown
CliBank.exe	Etc	Unknown
Client2.exe	Etc	Unknown
Client32.exe	Etc	Unknown
client6.exe	Etc	Unknown
ClientBK.exe	Etc	Unknown
ClntW32.exe	Etc	Unknown
CNCCLIENT.exe	Etc	Unknown
ContactNG.exe	Etc	Unknown
contoc.exe	IT	Unknown
CSHELL.exe	Etc	Unknown
CyberTerm.exe	CTERM	Unknown Russian payment-related tool
Dealer.exe	Etc	Unknown
dikeutil.exe	IT	Unknown
DTPayDesk.exe	Etc	Unknown
ebmain.exe	BANKATLOCAL	Application by UniCredit Bank Australia
eclnt.exe	Etc	Unknown
avn_cc.exe	Etc	Unknown
BANK32.exe	Etc	Unknown
Edealer.exe	Etc	Unknown
EELCLNT.exe	Etc	Unknown
EffectOffice.Client.exe	Etc	Unknown
el_cli.exe	Etc	Unknown
ELBA5.exe	ELBALOCAL	Unknown
ELBA5STANDBY.exe	ELBALOCAL	Unknown
elbank.exe	Etc	Unknown
ETSRV.exe	Etc	Unknown
EximClient.exe	Etc	Unknown
fcClient.exe	Etc	Unknown
FileProtector.exe	IT	Unknown
hbp.exe	HPB	Might be Deutsche Bundesbank Eurosystem
Hob.exe	HPB	Might be Deutsche Bundesbank Eurosystem
ibcremote31.exe	Etc	Unknown
Ibwn8.exe	Etc	Unknown
IDProtect Monitor.exe	IT	Unknown
IMBLink32.exe	Etc	Unknown
info.exe	Etc	Unknown
iquote32.exe	Etc	Unknown
iscc.exe	Etc	Unknown
iWallet.exe	Etc	Unknown
JSCASHMAIN.exe	Etc	Unknown
kb_cli.exe	Etc	Unknown
KB_PCB.exe	PSHEK	Profibanka by Komercní banka
KBADMIN.exe	Etc	Unknown
KLBS.exe	Etc	Unknown
LBank.exe	Etc	Unknown
legalSign.exe	IT	Unknown
LFCPaymentAIS.exe	Etc	Unknown
litecoin-qt.exe	Etc	Unknown
LPBOS.exe	Etc	Unknown
MMBANK.exe	Etc	Unknown
MWCLIENT32.exe	Etc	Unknown
NURITSmartLoader.exe	Etc	Unknown
OEBMCC32.exe	MCLOCAL	Application by Omikron related to electronic banking
OEBMCL32.exe	MCLOCAL	Application by Omikron Systemhaus GmbH related to electronic banking
OKMain.exe	Etc	Unknown
Omeg\\M7.exe	Etc	Unknown
OnCBCli.exe	Etc	Unknown
openvpn-gui	CRYPT	Client for VPN remote access to PCs
oseTokenServer.exe	MCSIGN	Application by Omikron related to electronic banking
payment_processor.exe	Etc	Unknown
Payments.exe	Etc	Unknown
PaymMaster.exe	Etc	Unknown
Payroll.exe	Etc	Unknown
PinPayR.exe	Etc	Unknown
Pkkb.exe	PSHEK	Banking application, Komercní banka
plat.exe	Etc	Unknown
Pmodule.exe	Etc	Unknown
PostMove.exe	POST	Unknown, likely a tool use to do HTTP POST operations
PRCLIENT.exe	Etc	Unknown
ProductPrototype.exe	Etc	Unknown
Qiwicashier.exe	Etc	Unknown
QIWIGUARD.exe	Etc	Unknown
QUICKPAY.exe	Etc	Unknown
rclient.exe	CFT	Client for Remote Administration
RETAIL.exe	Etc	Unknown
RETAIL32.exe	Etc	Unknown
rmclient.exe	Etc	Unknown
rpay.exe	Etc	Unknown
RTADMIN.exe	Etc	Unknown
RTCERT.exe	Etc	Unknown
SAADM.exe	Etc	Unknown
SACLIENT.exe	Etc	Unknown
saplogon.exe	SAP	SAP Logon for Windows
sapphire.exe	Etc	Unknown
SecureStoreMgr.exe	PSHEK	Unknown
selva_copy.exe	Etc	Unknown
SGBClient.exe	Etc	Unknown
SIManager.exe	IT	Unknown
srclbclient.exee	Etc	Unknown
StartCeedo.exe	IT	Unknown
startclient7.exe	Etc	Unknown
Sunflow.exe	Etc	Unknown
SXDOC.exe	Etc	Unknown
Telemaco.exe	IT	Unknown
TelemacoBusinessManager.exe	IT	Unknown
terminal.exe	Etc	Unknown
TERMW.exe	Etc	Unknown
Transact.exe	Etc	Unknown
Translink.exe	WU	Tool by Western Union Inc
truecrypt.exe	CRYPT	Tool used to manage TrueCrypt protected filesystems
UARM.exe	Etc	Unknown
ubs_net.exe	Etc	Unknown
UNISTREAM.exe	Etc	Unknown
UpOfCards.exe	Etc	Unknown
URALPROM.exe	Etc	Unknown
visa.exe	Etc	Unknown
W32MKDE.exe	Etc	Unknown
WClient.exe	Etc	Unknown
WebLogin.exe	Etc	Unknown
webmoney.exe	WM	Unknown
WFINIST.exe	Etc	Unknown
WinPost.exe	POST	Unknown, likely a tool use to do HTTP POST operations
WinVal.exe	Etc	Unknown
WUPostAgent.exe	Etc	Unknown
xplat_client.exe	Etc	Unknown

Lets a hacker to gain access to your PC

Gamker can implement a hidden VNC (Virtual Network Computing) server, which lets a hacker remotely control your PC to do malicious activities like these:

Transport stolen data out of your PC
Install or update Gamker
Spread to other PCs in your network

Steals keys from your PC

Gamker steals both private and public keys found in your PC.

Additional information

To do its payload, Gamker hooks these functions:

advapi32.dll::CryptEncrypt
chrome.dll::somefunction
kernel32.dll::CreateFileW
nspr4.dll::PR_Close
nspr4.dll::PR_Connect
nspr4.dll::PR_GetNameForIdentity
nspr4.dll::PR_Read
nspr4.dll::PR_SetError
nspr4.dll::PR_Write
ssleay32.dll::SLL_get_fd
ssleay32.dll::SLL_write
Urlmon.dll:URLDownloadToCacheFileW
Urlmon.dll:URLDownloadToFileW
user32.dll::CreateDialogParamW
User32.dll::GetMessageA
User32.dll::GetMessageW
user32.dll::GetWindowTextA
User32.dll::SendInput
User32.dll::TranslateMessage
Wininet.dll::HttpSendRequestA
Wininet.dll::HttpSendRequestExA
Wininet.dll::HttpSendRequestExW
Wininet.dll::HttpSendRequestW
Wininet.dll::InternetCloseHandle
Wininet.dll::InternetQueryDataAvailable
Wininet.dll::InternetReadFile
Wininet.dll::InternetReadFileExA
Wininet.dll::InternetReadFileExW
ws2_32.dll::getaddrinfo
ws2_32.dll::gethostbyname
ws2_32.dll::recv
ws2_32.dll::send
ws2_32.dll::WSARecv
ws2_32.dll::WSASend

Analysis by Geoff McDonald

Prevention

Take these steps to help prevent infection on your PC.