Troj/BankSnif-D

Category: Viruses and Spyware
Type: Trojan
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/BankSnif-D is a Trojan for the Windows platform.

The file java.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:

HKCR\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}
HKCR\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}
HKCR\Microsoft.Java\
HKCR\Microsoft.Java.1\
HKCR\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8780}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E28339B-7A2A-47B6-AEB2-46BA53782379}

Troj/BankSnif-D monitors HTTP requests for certain banking sites and steals login details. The Trojan captures login data for the following domains:

accounts4.keybank.com
activia.caixagalicia.es
banesnt.banesto.es
bank.mashreqbank.com
bd-i.com.do
business.pictet.com
bw7.sparkasse-banking.de
esecure.regionsnet.com
extrant.banesto.es
fastnetoffice.asbbank.co.nz
fni.asbbank.co.nz
home1ae.cd.citibank.ae
ibanking.firstcaribbeanbank.com
ibanking.seb.de
iibank.barclays.co.uk
iibank.cahoot.com
inet.barclays.co.uk
inet.southtrustonlinebanking.com
internetbank.intesabci.it
isec.westpactrust.co.nz
lb.national.com.au
lod.caixabank.ad
log-in.banknetpower.net
login.365online.com
login.caixasabadell.net
login.cajamar.es
login.ccfcuonline.org
login.ccm.es
login.compassweb.com
login.ebank.offshore.hsbc.co.je
login.forumcuonline.com
login.iblogin.com
login.webbanking.comerica.com
logon.bankone.com
logon.firstmeritib.com
logon.members1st.org
logon.personal.wamu.com
lrp.sparkasse-banking.de
no116.alislami.ae
ob2.nationet.com
oii.cajamadrid.es
ollb.westpac.com.au
on-line.barrington-bank.com
on-line.belizebank.com
on-line.halifax.es
on-line.nbad.com
online-banking.arubabank.com
online-banking.orcobank.com
onlineaccounts2.abbeynational.co.uk
pcbs.peoples.com
personal-atlantic.atlabank.com
portal09.commerzbanking.de
private.pictet.com
rollb.associatedbank.com
secured.1stdigibank.com
secured.anz.com
secured.griffonbank.com
upb.unionplanters.com
web-banking.dgmbank.com
web-xp2-nta.ntrs.com
web.banking.firsttennessee.com
welcome.smile.co.uk
wvw.abnamrotrust.com
wvw.bancodicaribeonline.com
wvw.bankofantigua.com
wvw.bpavirtual.ad
wvw.bpd.com.do
wvw.bsa.ad
wvw.butterfielddirect.com
wvw.cbdonline.ae
wvw.citizensbankonline.com
wvw.creditlibanais.com.lb
wvw.csebanking.it
wvw.e-gold.com
wvw.etrade.com
wvw.exactpay.com
wvw.gironet.com
wvw.icbizbanker.com
wvw.internetbanking.gad.de
wvw.kunden-service.lbs.de
wvw.mcb-home.com
wvw.nbd.ae
wvw.netteller.com
wvw.offshoreprotect.com
wvw.paypal.com
wvw.sftebanking.com
wvw.totallyfreebanking.com
wvw.unb.com
wvw.utibank.co.in
wvw.wallstreet-corp.co.ae
ww.bayernlb.de
ww.bics.fr
ww.cibconline.cibc.com
ww.creditmutuel.fr
ww.e-banking.helaba.de
ww.extensive.bancalombarda.it
ww.hsbc.co.uk
ww.hsh-nordbank.de
ww.isideonline.it
ww.mynfbonline.com
ww.unicaja.es
ww1.bendigobank.com.au
ww1.nwolb.com
ww1.onlinebanking.iombank.com
ww1.portal.izb.de
ww1.royalbank.com
ww1.www.rbsdigital.com
ww2.anz.com
ww2.bankofscotlandhalifax-online.co.uk
ww2.berliner-volksbank.de
ww2.dresdner-privat.de
ww2.homebanking-sparkasse.de
ww2.mybranch.lafcu.com
ww2.nbnz.co.nz
ww2.netbank.commbank.com.au
ww2.onlinebanking.lasallebank.com
ww2.scotiaonline.scotiabank.com
ww2.teacherscreditunion.com.au
ww2.vr-networld-ebanking.de
ww3.bbvanet.com
ww3.connect.skyfi.com
ww3.etimebanker.bankofthewest.com
ww3.homebanking-berlin.de
ww3.homebanking-berlin.de
ww3.homebanking-niedersachsen.de
ww3.online-business.lloydstsb.co.uk
ww3.online-business.lloydstsb.co.uk
ww3.online-offshore.lloydstsb.com
ww3.online.lloydstsb.co.uk
ww3.online.lloydstsb.co.uk
ww3.onlinebanking.natwestoffshore.com
ww3.sella.it
ww4.fleethomelink.fleet.com
ww5.bmo.com
ww7.homebanking-berlin.de
www.bancae.caixapenedes.com
www.bank.alliance-leicester.co.uk
www.banking.lbbw.de
www.banking.postbank.de
www.bvi.bancodevalencia.es
www.calvados2-enligne.credit-agricole.fr
www.cib.ibanking-services.com
www.co.caixabank.fr
www.ecredit.ad
www.eds.usersonlnet.com
www.global1.onlinebank.com
www.meine.deutsche-bank.de
www.miwebbusbank.ebanking-services.com
www.my.hypovereinsbank.de
www.mybank.bybank.it
www.online.wellsfargo.com
www.onlinebanking.bankofoklahoma.com
www.onlinebanking.huntington.com
www.onlinebanking.norisbank.de
www.onlinebanking.standardchartered.ae
www.onlineid.bankofamerica.com
www.secure.mvnt4.com
www.secure.tdbanknorth.com
www.signin.ebay.com
www3.aibgbonline.co.uk
www3.coventrybuildingsociety.co.uk
www5.bancopopular.es
www6.usbank.com

Troj/BankSnif-D modifies the HOSTS file (typically located in <System>\drivers\etc\HOSTS) redirecting requests for the previously mentioned domains to the local computer where the Trojan then intercepts the data.