Troj/Banker-CK is an information stealing Trojan for the Windows platform.
The Trojan monitors a user's internet activity and steals login details when on-line banking and finance sites are used. These details are then sent to a remote user.
Troj/Banker-CK checks for approximately 2500 different financial websites, and also any URLs containing the strings '/cpanel' or '/psoft/servlet'. It also checks for URLs that explicitly reference the following ports:
19638
2082
2083
2086
2087
8086
8443
The Trojan copies itself to the Windows folder as mscsvc.ex, and creates the following registry entry to ensure that it is run when an infected system starts:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
mscsvc.exe
<Windows folder>\mscsvc.exe