Troj/Banker-S is a password stealing Trojan that attempts to capture keylogs
associated with web browsing.
Troj/Banker-S creates the following files which are all detected by this
identity:
<Windows>\dllreg.exe
<Windows>\sock64.dll
<StartUp>\rundllw.exe
<Windows System>\load32.exe
<Windows System>\vxdmgr32.exe
In order to run on system restart Troj/Banker-S creates the following
registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32
Troj/Banker-S adds the name of one of the copies of itself to the Run= line of
win.ini and the shell= line of system.ini.
Troj/Banker-S uses it's own SMTP engine to send results of the keylogger to a
russian email address.