Banker.WXS infects bootloader and steals banking data (Dec 15, 2011)
SonicWALL UTM Research team received reports of a new Banking trojan in the wild. This Banking trojan infects the Windows NT system’s NTLDR bootloader, the file that runs before the computer’s operating system. It also steals banking data and target files related to GBPlugin, a browser security plug-in used mostly by Brazilian Banks.
Source of this Trojan have been linked to spam email containing download links.
Once the user downloads and executes the trojan, it will do the following activities:
Downloads the file wxp.zip that contains the following:
- xp-msantivirus
- xp-msclean
- ntldrv2
- menu.lst
- clean.bat
Makes a backup of systems ntldr as ntldr.old and replaces the original ntldr with ntldrv2 file.
The new ntldr file is a modified GRUB bootloader that runs the file menu.lst
The menu.lst is responsible for calling the files xp-msantivirus and xp-msclean during system’s reboot. These two files will later on remove files related to GBPlugin and other security softwares.
Files Created:
- {Computer Name}12k12v3r1.exe – copy of banker trojan
Added Registry:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun {Computer Name} “Application Data{Computer Name}12k12v3r1.exe”
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced EnableBalloonTips dword:00000000
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapEscDomains
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center UacDisableNotify dword:00000001
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem EnableLUA dword:00000000
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Windows Defender VTNC
Disables User Account Controls notification by adding the following entries:
Disables Windows Defender by replacing the data pointing to the file:
Deleted Registry:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains @ “”
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapRanges @ “”
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains @ “”
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapRanges @ “”
After the installation, the system will be forced to reboot:
Translation: “Windows Update is restarting your computer to install the critical security updates”
- Translation:
Please wait while the operation is performed. Don't turn off or restart your computer. ATTENTION: files were found infected with viruses on your computer .. Starting the process of removing viruses: Process started ... This process may take a while depending on the amount of virus-infected files found. Do not turn off or restart your computer during this process, wait for its completion, your computer will be restarted automatically. Process completed successfully ... Restarting the computer.
Translation: Booting Iniciando a Ferramenta de Remocao de Software Mal Intencionado da Microsoft
Translation:
Removal Tool Malicious Software Do not turn off or unplug the machine until the completion of this processDuring the system's reboot, the trojan removes the browser security plug-in GBPlugin and other security software that opens up the computer system for other malicious software. It tries to connect to other URLs to possibly download other malware. It also cleans up its track by deleting originally downloaded files.
Network Activity:
- Remote Server: 50.1{REMOVED}59/.RECURSOS/
- smartp{REMOVED}yhoster.com
- multip{REMOVED}omeze.com
- arowhe{REMOVED}com
- timbe{REMOVED}com
- weigot{REMOVED}.com
DNS Query:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
GAV: Banker.WXS (Trojan)
