Troj/Banker-CO steals information related to online banking sites.
Troj/Banker-CO copies its main executable and a DLL component to the Windows folder as smsm.exe and stray.dll respectively. The following registry entry is created to run the executable on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
smsm = C:\WINDOWS\smsm.exe
The Trojan may be installed by a self-extracting archive.
Troj/Banker-CO monitors keystrokes and logs them to the files ctm.sys, ssct.sys, win.txt and wst.sys in the Windows folder.
Troj/Banker-CO may also replace the window of online banking software with its own interface in order to trick the user into entering banking details.
Stolen information is periodically sent to a remote user by email.
Troj/Banker-CO may display an error message
<date>: is not a valid date
where <date> is a date in the format day-month-year.