Java/Spy.Banker [Threat Name] go to Threat

Java/Spy.Banker.AA [Threat Variant Name]

Category trojan
Size 16136 B
Detection Windows Mobile db version 3.1
Detection Symbian db version 3.4
Aliases PWS-Banker!gxy (McAfee)
  Troj/Gowfi-B (Sophos)
Short description

Java/Spy.Banker.AA is a trojan that prevents access to certain web sites and reroutes traffic to certain IP addresses.

Installation

When executed, the trojan creates the following files:

  • %temp%\­%variable%.tmp
  • %temp%\­add.reg
  • %temp%\­cert_override.txt
  • %temp%\­GbSysUsb.sys

A string with variable content is used instead of %variable% .


The trojan creates copies of the following files (source, destination):

  • %temp%\­GbSysUsb.sys, C:\­WINDOWS\­system32\­drivers\­GbSysUsb.sys
  • %temp%\­cert_override.txt, %appdata%\­Mozilla\­Firefox\­Profiles\­%profilename%\­cert_override.txt

The trojan modifies the following file:

  • %programfiles%\­Java\­lib\­security\­java.policy

The trojan may create the following files:

  • c:\­MDXX2010.tmp

The trojan executes the following commands:

  • cmd /c sc create GbSysUsb binPath= "C:\­WINDOWS\­system32\­drivers\­GbSysUsb.sys" group= "Video" type= kernel start= boot error= normal DisplayName= "GbSysUsb"
  • cmd /c sc start GbSysUsb
  • cmd /c REG IMPORT %temp\­add.reg
Information stealing

The trojan collects the following information:

  • information about the operating system and system settings

The trojan attempts to send gathered information to a remote machine.


The trojan contains an URL address. The HTTP protocol is used.

Other information

Java/Spy.Banker.AA is a trojan that prevents access to certain web sites and reroutes traffic to certain IP addresses.


The trojan modifies the following file:

  • %system%\­drivers\­etc\­hosts

The trojan writes the following entries to the file:

  • 188.165.201.54 www.realsecureweb.com.br
  • 188.165.201.54 www2.realsecureweb.com.br
  • 188.165.201.54 www.bb.com.br
  • 188.165.201.54 bb.com.br
  • 188.165.201.54 www.bancodobrasil.com.br
  • 188.165.201.54 bancodobrasil.com.br

The trojan may redirect the user to the attacker's web sites.

Please enable Javascript to ensure correct displaying of this content and refresh this page.