Troj/Banker-EX

Aliases	Trojan-Spy.Win32.Banker.ex PWS-Banker
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Web browsing
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	2 December 2004 10:35:17 (GMT)
Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

Endpoint Security and Control 9.0
Small business solutions 4.0

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/Banker-EX is a banking Trojan for the Windows platform.

Troj/Banker-EX captures internet traffic bound for commerce sites and sends this data to a remote website. The Trojan captures traffic from log-on and edit windows with titles that include the following strings:

24hour-online
365online
abbey
activobank7
albb
amp.com
arabbank
ationwide
australiancu
banco
bancosantander
banesto
banif
bank
bankofscotlandhalifax-online
bankwest
barclays
bcp.pt
bes.pt
bic.pt
bpatlantico
bportugal
caixagalicia
cajamadrid
capitalone
caterallen
cbonline
cgd.pt
cisf.pt
Citibank
co-operativebank
easystreet
ebank
egg.com
eircom.net
first-direct
halifax-online
hsbc.co.uk
if.com
ing.com
investec
lacaixa
leedsandholbeck
lloydstsb
login.passport.net
macquarie
national
nbonline
netbank
northernrock
nwolb.com
permanenttsb
rbsdigital.com
stgeorge
Woolwich

When first run, Troj/Banker-EX will drop two files named IESPRT.SYS and LSD_F3.DLL into the Window system folder. These files are detected as Troj/Banker-EX.

Under Windows 9x systems, Troj/Banker-EX will set the following registry entries in order to run automatically on system startup:

HKLM\System\CurrentControlSet\Control\MPRServices\TestService
DllName
lsd_f3.dll

HKLM\System\CurrentControlSet\Control\MPRServices\TestService
EntryPoint
LSD_F3

Under Windows NT based systems (NT, 2000, XP etc.), Troj/Banker-EX will register LSD_F3.DLL under Winlogon Notify and IESPRT.SYS as a driver in order to run them automatically on system startup.

LSD_F3.DLL will have the following settings under Winlogon Notify:

name = f3dsl
path = lsd_f3.dll
notifyfunction = LSD_F3

IESPRT.SYS will have the following driver settings:

drivername = iesprt
displayname = KeIE
imagepath = \??\C:\WINDOWS\System32\iesprt.sys

As a result, the following registry entries will be set:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\f3dsl
DllName
lsd_f3.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\f3dsl
Startup
LSD_F3

HKLM\SYSTEM\CurrentControlSet\Services\iesprt
ImagePath
\??\C:\WINDOWS\System32\iesprt.sys

HKLM\SYSTEM\CurrentControlSet\Services\iesprt
DisplayName
KeIE

HKLM\SYSTEM\ControlSet<Number>\Services\iesprt
ImagePath
\??\C:\WINDOWS\System32\iesprt.sys

HKLM\SYSTEM\ControlSet<Number>\Services\iesprt
DisplayName
KeIE

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Banker-EX

Summary

Action

More Information