Banker.WXS infects bootloader and steals banking data (Dec 15, 2011)


SonicWALL UTM Research team received reports of a new Banking trojan in the wild. This Banking trojan infects the Windows NT system’s NTLDR bootloader, the file that runs before the computer’s operating system. It also steals banking data and target files related to GBPlugin, a browser security plug-in used mostly by Brazilian Banks.

Source of this Trojan have been linked to spam email containing download links.

Once the user downloads and executes the trojan, it will do the following activities:

Downloads the file that contains the following:

  • xp-msantivirus
  • xp-msclean
  • ntldrv2
  • menu.lst
  • clean.bat

Makes a backup of systems ntldr as ntldr.old and replaces the original ntldr with ntldrv2 file.
The new ntldr file is a modified GRUB bootloader that runs the file menu.lst

The menu.lst is responsible for calling the files xp-msantivirus and xp-msclean during system’s reboot. These two files will later on remove files related to GBPlugin and other security softwares.

Files Created:

  • {Computer Name}12k12v3r1.exe – copy of banker trojan

Added Registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun {Computer Name} “Application Data{Computer Name}12k12v3r1.exe”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced EnableBalloonTips dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapEscDomains
  • Disables User Account Controls notification by adding the following entries:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center UacDisableNotify dword:00000001
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem EnableLUA dword:00000000
  • Disables Windows Defender by replacing the data pointing to the file:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Windows Defender VTNC

Deleted Registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains @ “”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapRanges @ “”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains @ “”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapRanges @ “”

After the installation, the system will be forced to reboot:


    Translation: “Windows Update is restarting your computer to install the critical security updates”


     Please wait while the operation is performed. Don't turn off or restart your computer.  ATTENTION: files were found infected with viruses on your computer .. Starting the process of removing viruses: Process started ... This process may take a while depending on the amount of virus-infected files found. Do not turn off or restart your computer during this process, wait for its completion,  your computer will be restarted automatically. Process completed successfully ... Restarting the computer. 


    Translation: Booting Iniciando a Ferramenta de Remocao de Software Mal Intencionado da Microsoft



     Removal Tool Malicious Software  Do not turn off or unplug the machine until the completion of this process 

During the system's reboot, the trojan removes the browser security plug-in GBPlugin and other security software that opens up the computer system for other malicious software. It tries to connect to other URLs to possibly download other malware. It also cleans up its track by deleting originally downloaded files.

Network Activity:

  • Remote Server: 50.1{REMOVED}59/.RECURSOS/
  • DNS Query:

  • smartp{REMOVED}
  • multip{REMOVED}
  • arowhe{REMOVED}com
  • timbe{REMOVED}com
  • weigot{REMOVED}.com

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

GAV: Banker.WXS (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.