Troj/Banker-Q is an information stealing Trojan. The Trojan attempts to steal online banking login details.
Troj/Banker-Q may arrive as a file called demo.exe that drops inst.exe and IEHelper.dll files to the Windows system folder.
On execution inst.exe installs IEHelper.dll as BHO and sets the registry entries:
HKCR\CLSID\(3A4E6FF3-BF59-446E-9DC8-731BCE2F349A)\
@ = "IE 4.x-5.x BHO in ObjectPascal"
HKCR\CLSID\(3A4E6FF3-BF59-446E-9DC8-731BCE2F349A)\
InprocServer32\@ = "C:\\WINDOWS\\system32\\IEHelper.dll"
HKCR\CLSID\(3A4E6FF3-BF59-446E-9DC8-731BCE2F349A)\ProgID\
@ = "IEHelper.IEHelperOP"
HKCR\IEHelper.IEHelperOP\
@ = "IE 4.x-5.x BHO in ObjectPascal"
HKCR\IEHelper.IEHelperOP\Clsid\
@ = "(3A4E6FF3-BF59-446E-9DC8-731BCE2F349A)"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\(3A4E6FF3-BF59-446E-9DC8-731BCE2F349A)\
Troj/Banker-Q monitors internet activity for access to the online banking sites of a number of the banks as Barclays, Lloydstsb and Halifax banks, logs a confidentional information and sends it out to the remote location.