Troj/Banker-EX is a banking Trojan for the Windows platform.
Troj/Banker-EX captures internet traffic bound for commerce sites and sends this data to a remote website. The Trojan captures traffic from log-on and edit windows with titles that include the following strings:
24hour-online
365online
abbey
activobank7
albb
amp.com
arabbank
ationwide
australiancu
banco
bancosantander
banesto
banif
bank
bankofscotlandhalifax-online
bankwest
barclays
bcp.pt
bes.pt
bic.pt
bpatlantico
bportugal
caixagalicia
cajamadrid
capitalone
caterallen
cbonline
cgd.pt
cisf.pt
Citibank
co-operativebank
easystreet
ebank
egg.com
eircom.net
first-direct
halifax-online
hsbc.co.uk
if.com
ing.com
investec
lacaixa
leedsandholbeck
lloydstsb
login.passport.net
macquarie
national
nbonline
netbank
northernrock
nwolb.com
permanenttsb
rbsdigital.com
stgeorge
Woolwich
When first run, Troj/Banker-EX will drop two files named IESPRT.SYS and LSD_F3.DLL into the Window system folder. These files are detected as Troj/Banker-EX.
Under Windows 9x systems, Troj/Banker-EX will set the following registry entries in order to run automatically on system startup:
HKLM\System\CurrentControlSet\Control\MPRServices\TestService
DllName
lsd_f3.dll
HKLM\System\CurrentControlSet\Control\MPRServices\TestService
EntryPoint
LSD_F3
Under Windows NT based systems (NT, 2000, XP etc.), Troj/Banker-EX will register LSD_F3.DLL under Winlogon Notify and IESPRT.SYS as a driver in order to run them automatically on system startup.
LSD_F3.DLL will have the following settings under Winlogon Notify:
name = f3dsl
path = lsd_f3.dll
notifyfunction = LSD_F3
IESPRT.SYS will have the following driver settings:
drivername = iesprt
displayname = KeIE
imagepath = \??\C:\WINDOWS\System32\iesprt.sys
As a result, the following registry entries will be set:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\f3dsl
DllName
lsd_f3.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\f3dsl
Startup
LSD_F3
HKLM\SYSTEM\CurrentControlSet\Services\iesprt
ImagePath
\??\C:\WINDOWS\System32\iesprt.sys
HKLM\SYSTEM\CurrentControlSet\Services\iesprt
DisplayName
KeIE
HKLM\SYSTEM\ControlSet<Number>\Services\iesprt
ImagePath
\??\C:\WINDOWS\System32\iesprt.sys
HKLM\SYSTEM\ControlSet<Number>\Services\iesprt
DisplayName
KeIE