Troj/BankSnif-B

Category: Viruses and Spyware
Type: Trojan
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/BankSnif-B is an information stealing Trojan for the Windows platform.

The Trojan modifies the HOSTS file (typically located in <System>\drivers\etc\HOSTS) redirecting preconfigured domains to the local computer where the Trojan then intercepts the data. Troj/BankSnif-B is an information stealing Trojan for the Windows platform.

When Troj/BankSnif-B is installed the following files are created:

<Temp>\delete.bat
<System>\dllcache\msupdprx.dll

The file msupdprx.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:

HKCR\CLSID\(6E28339B-7A2A-47B6-AEB2-46BA53782375)
HKCR\Interface\(4CF9A0D2-ED75-40CB-98C0-36DF6A30E040)
HKCR\Microsoft.Update.Proxy\
HKCR\Microsoft.Update.Proxy.1\
HKCR\TypeLib\(A2D5957F-6D1A-44CE-BFBA-D448EAAB8782)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(6E28339B-7A2A-47B6-AEB2-46BA53782375)

The Trojan monitors HTTP requests for certain banking sites and steals login details. The Trojan captures login data for the following domains:

accounts1.keybank.com
accounts4.keybank.com
activa.caixagalicia.es
activia.caixagalicia.es
aibgbonline.co.uk
bancae.caixapenedes.com
bancodicaribeonline.com
bancopopular.es
banesnet.banesto.es
banesnt.banesto.es
bank.mashreqbank.com
banking.lbbw.de
banking.mashreqbank.com
banking.postbank.de
banking.seb.de
bbvanet.com
bd-i.com.do
bdi.com.do
bendigobank.com.au
berliner-volksbank.de
bmo.com
business.pictet.com
businessa.pictet.com
bv-i.bancodevalencia.es
bw7.sparkasse-banking.de
caixasabadell.net
cajamar.es
ccm.es
cib.ibanking-services.com
cibconline.cibc.com
co.caixabank.fr
commerzbanking.de
connect.skyfi.com
coventrybuildingsociety.co.uk
creditlibanais.com.lb
customer.ibc
DoLoginServlet
dresdner-privat.de
ebay.co
eds.usersonlnet.com
esecure.regionsnet.com
etimebanker.bankofthewest.com
etrade.com
extensive.bancalombarda.it
extranet.banesto.es
extrant.banesto.es
fastnetoffice.asbbank.co.nz
firsttennessee.com
fleethomelink.fleet.com
fnc.asbbank.co.nz
fni.asbbank.co.nz
global1.onlinebank.com
home1ae.cd.citibank.ae
home2ae.cd.citibank.ae
hsbc.co.uk
ib.national.com.au
ibank.barclays.co.uk
ibank.cahoot.com
ibanking.firstcaribbeanbank.com
ibanking.seb.de
idbnet.barclays.co.uk
iibank.barclays.co.uk
iibank.cahoot.com
inet.barclays.co.uk
inet.southtrustonlinebanking.com
internetbank.intesabci.it
internetbanking.firstcaribbeanbank.com
internetbanking.gad.de
internetbanking.intesabci.it
isec.westpactrust.co.nz
izb.de
kunden-service.lbs.de
lb.national.com.au
lloydstsb.com
lob.caixabank.ad
lod.caixabank.ad
log-in.banknetpower.net
login.365online.com
login.banknetpower.net
login.caixasabadell.net
login.cajamar.es
login.ccfcuonline.org
login.ccm.es
login.compassweb.com
login.ebank.offshore.hsbc.co.je
login.forumcuonline.com
login.iblogin.com
login.personal.wamu.com
login.webbanking.comerica.com
logon.bankone.com
logon.firstmeritib.com
logon.ibc
logon.members1st.org
logon.personal.wamu.com
lrp.sparkasse-banking.de
meine.deutsche-bank.de
miwebbusbank.ebanking-services.com
my.hypovereinsbank.de
mybank.alliance-leicester.co.uk
mybank.bybank.it
mybranch.lafcu.com
myonlineaccounts2.abbeynational.co.uk
nbd.ae
nbnz.co.nz
netbank.commbank.com.au
no116.alislami.ae
no117.alislami.ae
ob2.nationet.com
oi.cajamadrid.es
oii.cajamadrid.es
olb.westpac.com.au
olb2.nationet.com
ollb.westpac.com.au
on-line.barrington-bank.com
on-line.belizebank.com
on-line.halifax.es
on-line.nbad.com
online-banking.arubabank.com
online-banking.orcobank.com
online-business.lloydstsb.co.uk
online-offshore.lloydstsb.com
online.barrington-bank.com
online.belizebank.com
online.compassweb.com
online.halifax.es
online.lloydstsb.co.uk
online.nbad.com
online.wellsfargo.com
onlineaccounts2.abbeynational.co.uk
onlinebanking.arubabank.com
onlinebanking.bankofoklahoma.com
onlinebanking.huntington.com
onlinebanking.lasallebank.com
onlinebanking.norisbank.de
onlinebanking.orcobank.com
onlineid.bankofamerica.com
paypal.co
pcb.peoples.com
pcbs.peoples.com
personal-atlantic.atlabank.com
personalatlantic.atlabank.com
portal09.commerzbanking.de
private.pictet.com
privatea.pictet.com
rollb.associatedbank.com
royalbank.com
rrp.sparkasse-banking.de
scotiaonline.scotiabank.com
sec.westpactrust.co.nz
secure.1stdigibank.com
secure.anz.com
secure.griffonbank.com
secure.mvnt4.com
secure.regionsnet.com
secure.tdbanknorth.com
secured.1stdigibank.com
secured.anz.com
secured.griffonbank.com
southtrustonlinebanking.com
sparkasse-banking.de
teacherscreditunion.com.au
unicaja.es
upb.unionplanters.com
upib.unionplanters.com
usbank.com
web-banking.dgmbank.com
web-xp1-nta.ntrs.com
web-xp2-nta.ntrs.com
web.banking.firsttennessee.com
webbanking.comerica.com
webbanking.dgmbank.com
welcome.smile.co.uk
welcome8.smile.co.uk
wvw.abnamrotrust.com
wvw.bancodicaribeonline.com
wvw.bankofantigua.com
wvw.bpavirtual.ad
wvw.bpd.com.do
wvw.bsa.ad
wvw.butterfielddirect.com
wvw.cbdonline.ae
wvw.citizensbankonline.com
wvw.creditlibanais.com.lb
wvw.csebanking.it
wvw.e-gold.com
wvw.etrade.com
wvw.exactpay.com
wvw.gironet.com
wvw.icbizbanker.com
wvw.internetbanking.gad.de
wvw.kunden-service.lbs.de
wvw.mcb-home.com
wvw.nbd.ae
wvw.netteller.com
wvw.offshoreprotect.com
wvw.paypal.com
wvw.sftebanking.com
wvw.totallyfreebanking.com
wvw.unb.com
wvw.utibank.co.in
wvw.wallstreet-corp.co.ae
ww.bayernlb.de
ww.bics.fr
ww.cibconline.cibc.com
ww.creditmutuel.fr
ww.e-banking.helaba.de
ww.extensive.bancalombarda.it
ww.hsbc.co.uk
ww.hsh-nordbank.de
ww.isideonline.it
ww.mynfbonline.com
ww.unicaja.es
ww1.bendigobank.com.au
ww1.nwolb.com
ww1.onlinebanking.iombank.com
ww1.portal.izb.de
ww1.royalbank.com
ww1.www.rbsdigital.com
ww2.anz.com
ww2.bankofscotlandhalifax-online.co.uk
ww2.berliner-volksbank.de
ww2.dresdner-privat.de
ww2.homebanking-
ww2.homebanking-berlin.de
ww2.homebanking-niedersachsen.de
ww2.homebanking-sparkasse.de
ww2.mybranch.lafcu.com
ww2.nbnz.co.nz
ww2.netbank.commbank.com.au
ww2.onlinebanking.lasallebank.com
ww2.scotiaonline.scotiabank.com
ww2.teacherscreditunion.com.au
ww2.vr-networld-ebanking.de
ww3.bbvanet.com
ww3.connect.skyfi.com
ww3.etimebanker.bankofthewest.com
ww3.homebanking-berlin.de
ww3.homebanking-niedersachsen.de
ww3.online-business.lloydstsb.co.uk
ww3.online-offshore.lloydstsb.com
ww3.online.lloydstsb.co.uk
ww3.onlinebanking.natwestoffshore.com
ww3.sella.it
ww4.fleethomelink.fleet.com
ww5.bmo.com
ww7.homebanking-berlin.de
www.365online.com
www.abnamrotrust.
www.anz.com
www.associatedbank.com
www.bancae.caixapenedes.com
www.bank.alliance-leicester.co.uk
www.banking.lbbw.de
www.banking.postbank.de
www.bankofantigua.com
www.bankofscotlandhalifax-online.co.uk
www.bankone.com
www.bayernlb.de
www.bics.fr
www.bpavirtual.ad
www.bpd.com.do
www.bsa.ad
www.butterfielddirect.com
www.bvi.bancodevalencia.es
www.calvados2-enligne.credit-agricole.fr
www.cbdonline.ae
www.ccfcuonline.org
www.cib.ibanking-services.com
www.citizensbankonline.com
www.co.caixabank.fr
www.creditmutuel.fr
www.csebanking.it
www.e-banking.helaba.de
www.e-credit.ad
www.e-gold.com
www.ebank.offshore.hsbc.co.je
www.ecredit.ad
www.eds.usersonlnet.com
www.exactpay.com
www.firstmeritib.com
www.forumcuonline.com
www.gironet.com
www.global1.onlinebank.com
www.hsh-nordbank.de
www.iblogin.com
www.icbizbanker.com
www.isideonline.it
www.lloydstsb.com
www.mcb-home.com
www.meine.deutsche-bank.de
www.members1st.org
www.miwebbusbank.ebanking-services.com
www.my.hypovereinsbank.de
www.mybank.bybank.it
www.mynfbonline.com
www.netteller.com
www.nwolb.com
www.offshoreprotect.com
www.online-banking.standardchartered.ae
www.online.wellsfargo.com
www.onlinebanking.bankofoklahoma.com
www.onlinebanking.huntington.com
www.onlinebanking.iombank.com
www.onlinebanking.natwestoffshore.com
www.onlinebanking.norisbank.de
www.onlinebanking.standardchartered.ae
www.onlineid.bankofamerica.com
www.rbsdigital.com
www.secure.mvnt4.com
www.secure.tdbanknorth.com
www.sella.it
www.sftebanking.com
www.signin.ebay.com
www.totallyfreebanking.com
www.unb.com
www.utibank.co.in
www.wallstreet-corp.co.ae
www3.aibgbonline.co.uk
www3.coventrybuildingsociety.co.uk
www5.bancopopular.es
www6.usbank.com

The Trojan modifies the HOSTS file (typically located in <System>\drivers\etc\HOSTS) redirecting requests for the previously mentioned domains to the local computer where the Trojan then intercepts the data.