Troj/Bancsde-A is a multi-component Trojan which attempts to steal online banking details for accounts related to certain banks in Germany.
The downloader component of Troj/Bancsde-A which may have been seeded out runs Microsoft Internet Explorer (iexplore.exe) and injects code within the running process to download and execute a file called xxde.exe from a remote URL.
The file xxde.exe drops and executes a file called <random 3-4 letters>svr.exe within the Windows folder and creates the following registry entry to run the dropped file on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
<random 3-4 letters>Srv32
<path to file>
The dropped file which is the main Trojan component contains HTML scripts within its body which the Trojan attempts to use to display web pages which pretend to be legitimate online banking login pages. This file may drop two DLLs called iexml.dll and iempview.dll within the Windows folder and inject them into the process space of ieplore.exe.
The DLLs are used to relay stolen information to a remote PHP script.
The main component may create the following registry entry to run itself on system restart:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random 3-4 letters>Srv32
<path to file>
Troj/Bancsde-A also creates the following registry entries to reduce the browser security settings:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
WarnOnPostRedirect
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
WarnOnZoneCrossing
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
1609
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
1609
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1609
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1609
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1609
0