Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to news

Trojan.PWS.Banker.64540 replaces web content

June 6, 2012

Doctor Web—the Russian anti-virus developer—is warning users about Trojan.PWS.Banker.64540, malware that enables criminals to launch phishing attacks on users whose systems have been compromised.

Trojan.PWS.Banker.64540 consists of two components: an executable file and a dynamic library file, and yet it is rather small—about 80 Kbytes. This malware spreads via the well-known Andromeda botnet. When launched on an infected machine, Trojan.PWS.Banker.64540 copies itself into a folder as msvcrt.exe and adds a link to the file into the registry branch responsible for launching applications automatically. The Trojan checks whether the file is installed in the system. After this, the malware launches itself and injects a self-removal code into the svchost.exe process. It stores all the information about its own actions in a log file.

screen

When launched, the Trojan searches, according to a predefined template, for data in the files stored on all the drives of the infected computer except for the A disk. It encrypts all the information it manages to find and sends the data to one of the criminals' servers whose addresses are embedded in the malware.

The main objective of Trojan.PWS.Banker.64540 is to inject its component into Internet Explorer. It includes web injections that allow the web content of certain sites such as visa.com, mastercard.com, americanexpress.com, and discovercard.com, to be replaced. The Trojan's signature has been added to Dr.Web virus databases.

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040