Sophos

Sophos blogs

Troj/Banker-DMN

Category
Type
What to do
Prevalence low high

Summary

 
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 20 September 2006 08:19:02 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

Troj/Banker-DMN is an internet banking Trojan for the Windows platform.

Troj/Banker-DMN monitors the user's internet access and steals on-line banking details.

When Troj/Banker-DMN is installed the following files are created:

<System>\agpbrdg0.dll - detected as Troj/Banker-DLD
<System>\agpbrdg5.sys - detected as Troj/Haxdor-Gen
<System>\ksl48.bin - can be safely deleted

The following registry entries are created to run code exported by agpbrdg0.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\agpbrdg0
DllName
agpbrdg0.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\agpbrdg0
Startup
agpbrdg0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\agpbrdg0
Impersonate
1

Troj/Banker-DMN includes functionality to:

- modify the HOSTS file
- harvest the usernames and passwords from the Protected storage areas as well as from the Internet Account Manager

The Trojan also attempts to block access to anti-virus and security related websites including:

updates1.kaspersky-labs.com
customer.symantec.com
download.mcafee.com
downloads1.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads2.kaspersky-labs.com
avp.com
avp.ru
awaps.net
downloads3.kaspersky-labs.com
dispatch.mcafee.com
downloads4.kaspersky-labs.com
avp.ch
updates1.kaspersky-labs.com
updates2.kaspersky-labs.com
virustotal.com
updates3.kaspersky-labs.com
d-ru-2f.kaspersky-labs.com
updates3.kaspersky-labs.com
updates4.kaspersky-labs.com
updates5.kaspersky-labs.com
downloads-us1.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-us3.kaspersky-labs.com
engine.awaps.net
f-secure.com
ftp.avp.ch
ftp.downloads2.kaspersky-labs.com
ftp.f-secure.com
ftp.kasperskylab.ru
ftp.kaspersky.ru
d-ru-1f.kaspersky-labs.com
d-eu-1f.kaspersky-labs.com
rads.mcafee.com
d-eu-2f.kaspersky-labs.com
liveupdate.symantec.com
d-us-1f.kaspersky-labs.com
ftp.sophos.com
ids.kaspersky-labs.com
kaspersky.com
kaspersky-labs.com
kaspersky.ru
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
networkassociates.com
phx.corporate-ir.net
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer