February 12, 2016

Banking Trojans are considered to be one of the most dangerous threats. Not only they have a complex architecture, but they are also capable to perform a wide variety of functions. Yet, some attackers do not disdain to contrive rather primitive malicious programs such as, for example, Trojan.Proxy2.102, which was examined by Doctor Web specialists.

Trojan.Proxy2.102 steals money from victims’ bank accounts using the following method. Once launched, it installs a root digital certificate and changes the Internet connection settings specifying a proxy server that belongs to virus makers.

From that time, all requests to webpages of online banking systems are executed using this proxy server. It is also applied to inject arbitrary content into these websites once a user opens them on the infected computer. Therefore, a victim is tricked into transferring money from their accounts to cybercriminals’. Trojan.Proxy2.102 can modify content of such online banking systems as online.sberbank.ru, online.vtb24.ru, and online.rsb.ru. An initial installation of the bogus digital certificate, which is used to sign the corresponding webpages, allows the Trojan to conceal its presence from the user as long as possible.

If the installation procedure is successful, the malicious program transmits the information about this event to the server. Since the Trojan does not register itself in autorun, it goes to an infinite sleep mode once all its malicious functions are performed.

Dr.Web successfully detects and removes Trojan.Proxy2.102, and, therefore, this malicious program poses no threat to our users.

More about this Trojan