Trojan:Win32/Silentbanker.B is a generic detection for variants of the Silentbanker trojan family.
Win32/Silentbanker is a monitoring trojan that captures screen shots, and logs key strokes, including login credentials for financial institutions. This trojan alters login pages displayed in order to capture specific data, redirects user Web page requests, and may download additional malicious programs.
Installation
When run, Win32/Silentbanker creates a mutex named "ovmkgnevfnei_4097" to make sure only one instance of the malware is running. Next, the trojan drops library files with various names into the Windows system folder. The trojan then writes a configuration file with a random file name and .CPL extension into the same folder, such as 'rpcns4.cpl'. The configuration file contains a list of various details, such as the names of all files associated with the trojan written to the Windows system folder, as in the following example:
[1137733809]
2137733809=1
6137733809=00207C22CB2BC10176
7137733809=804F03AB9A86C40162
8137733809=00207C22CB2BC10176
3137733809={0266682E-0054-4FBD-8181-26178B649CBE}
4137733809=ole337.dll
5137733809=aclu19.dll
9137733809=faultre78.dll
10137733809=mstvg18.dll
20137733809=alrsv55.dll
11137733809=iprtpri37.dll
12137733809=rdpsn6.dll
13137733809=wstdeco89.dll
14137733809=sfcfile95.dll
15137733809=kbdf74.dll
16137733809=umpnpmg25.dll
17137733809=minde94.dll
18137733809=oleaut396.dll
19137733809=cfgmgr365.dll
21137733809=mscore12.dll
22137733809=msnetob93.dll
Win32/Silentbanker installs itself as a Web Browser Helper Object (BHO) by dropping a randomly named library into the Windows system folder - the dropped library component is identified as Trojan:Win32/Silentbanker.B.dll. The trojan adds several registry keys and values enabling the BHO to run when the Web browser Internet Explorer is launched.
Adds value: {0948248B-C233-44C2-9C8D-CA87FFC3B60B}
In subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
Adds value: (default)
With data: <system folder>\<trojan .DLL such as mqsvc.dll>
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{0948248B-C233-44C2-9C8D-CA87FFC3B60B}\InprocServer32
Adds value: (default)
With data: {0948248B-C233-44C2-9C8D-CA87FFC3B60B}
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{0948248B-C233-44C2-9C8D-CA87FFC3B60B}\TypeLib
Adds value: (default)
With data: <trojan file name without extension, such as mqsvc>
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{0948248B-C233-44C2-9C8D-CA87FFC3B60B}
Win32/Silentbanker alters the registry to launch the trojan any time an application calls for a sound device, as in the following example:
Adds value: midi1
With data: <trojan .DLL, for example mscore12.dll>
In subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Payload
Steals Sensitive Data
This trojan may alter a displayed user login page on a valid Web page in order to capture login credentials. It may also capture screen shots, and log key strokes.
Additional Information
The trojan may restart the affected machine after installation.
Analysis by Vitaly Zaytsev
