Win32/Spy.Banker [Threat Name] go to Threat

Win32/Spy.Banker.ACWG [Threat Variant Name]

Category trojan
Size 30006976 B
Detection created Feb 24, 2016
Signature database version 13078
Aliases Trojan-Banker.Win32.BestaFera.ite (Kaspersky)
  TrojanSpy:Win32/Banker (Microsoft)
  Trojan.DownLoader19.32881 (Dr.Web)
Short description

Win32/Spy.Banker.ACWG is a trojan that prevents access to certain web sites and reroutes traffic to certain IP addresses. The trojan tries to download other malware from the Internet.

Installation

The trojan does not create any copies of itself.

Payload information

Win32/Spy.Banker.ACWG is a trojan that prevents access to certain web sites and reroutes traffic to certain IP addresses.


The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "AutoConfigURL" = "http://ie-chrome.com.br/%censored%"
Other information

The trojan contains a URL address.


It tries to download a file from the address. The HTTPS protocol is used.


The file is stored in the following location:

  • %appdata%\­HPOFFICE.zip

The trojan extracts the archive content into the following folder:

  • %appdata%

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "HP Impressoras" = "%appdata%\­wuaudt.exe"

Please enable Javascript to ensure correct displaying of this content and refresh this page.