Troj/Banker-H drops and loads a DLL named HookerDll.Dll to the Windows folder.
This DLL logs keyboard entries that a victim types into a window whose title bar contains any of the following strings:
e-gold Account Access
HSBC Internet banking
online@hsbc
Welcome to National Internet Banking
St.George Internet Banking Logon Page
Business Banking Online Login Page
directshares
MasterCard Connections Online - Welcome
St George Treasury: Client Logon
ANZ Internet Banking
SAAM Login
ANZ E*TRADE
FX Online Sphinx Login Page
https://www.tradeportal.proponix.com
BankSA Internet Banking Logon Page
Westpac Internet - Sign In
Westpac Internet Banking
NetBank - Logon
Commonwealth Securities Limited
Managed Funds and Superannuation Online - Login
Citibank Australia
Banesnet Particulares
Acceso a Banca por Internet
Wachovia Online Business Banking
Online Services - Account Login
Ventura County Business Bank Online Banking
PNC Bank - Account Link for Business
Fleet HomeLink Online Banking and Investing
e-Bullion: Account Login
:: WMcards.com :: Customer Support
moneybookers.com - and money moves
SunTrust Online Banking
Washington Mutual - Log On
Discover Card: Account Center Log In
OrbitPay.net - The Payment Processor Of Choice!
Banco Popular - Internet Banking
Nationwide Building Society - On-line banking
E*TRADE Log On
Accueil Bred.fr < Espace Bred.fr
Credit Lyonnais interactif
CyberMUT
Banque en ligne
Tous les produits et services
Banque Populaire
Home Page Banca Intesa
Collegamento a Scrigno
Barclaycard Merchant Services
American Express UK - Personal Finance
Merchant Administration
Wells Fargo - Small Business Home Page
Commercial Electronic Office Sign On
VeriSign Personal Trust Service
VeriSign Partner Manager
SUNCORP METWAY
iKobo Money Transfer
Welcome to Citi
Captured text is written to a file called krk.txt in the Windows folder and the contents of that file is periodically sent to the attacker in an email.
Troj/Banker-H copies itself to the Windows folder and creates the following registry entry so that the Trojan is run when a user logs in to Windows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OLE