Banker.WXS infects bootloader and steals banking data

December 16, 2011

SonicWALL UTM Research team received reports of a new Banking trojan in the wild. This Banking trojan infects the Windows NT system's NTLDR bootloader, the file that runs before the computer's operating system. It also steals banking data and target files related to GBPlugin, a browser security plug-in used mostly by Brazilian Banks.

Source of this Trojan have been linked to spam email containing download links.

Once the user downloads and executes the trojan, it will do the following activities:

Downloads the file wxp.zip that contains the following:

  • xp-msantivirus
  • xp-msclean
  • ntldrv2
  • menu.lst
  • clean.bat

Makes a backup of systems ntldr as ntldr.old and replaces the original ntldr with ntldrv2 file.
The new ntldr file is a modified GRUB bootloader that runs the file menu.lst

The menu.lst is responsible for calling the files xp-msantivirus and xp-msclean during system's reboot. These two files will later on remove files related to GBPlugin and other security softwares.

Files Created:

  • {Computer Name}12k12v3r1.exe - copy of banker trojan

Added Registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun {Computer Name} "Application Data{Computer Name}12k12v3r1.exe"
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced EnableBalloonTips dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapEscDomains
  • Disables User Account Controls notification by adding the following entries:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center UacDisableNotify dword:00000001
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem EnableLUA dword:00000000
  • Disables Windows Defender by replacing the data pointing to the file:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Windows Defender VTNC

Deleted Registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains @ ""
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapRanges @ ""
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains @ ""
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapRanges @ ""

After the installation, the system will be forced to reboot:

    screenshot

    Translation: "Windows Update is restarting your computer to install the critical security updates"

    screenshot
    Translation:

     Please wait while the operation is performed. Don't turn off or restart your computer.  ATTENTION: files were found infected with viruses on your computer .. Starting the process of removing viruses: Process started ... This process may take a while depending on the amount of virus-infected files found. Do not turn off or restart your computer during this process, wait for its completion,  your computer will be restarted automatically. Process completed successfully ... Restarting the computer. 

    screenshot

    Translation: Booting Iniciando a Ferramenta de Remocao de Software Mal Intencionado da Microsoft

    screenshot

    Translation:

     Removal Tool Malicious Software  Do not turn off or unplug the machine until the completion of this process 

During the system's reboot, the trojan removes the browser security plug-in GBPlugin and other security software that opens up the computer system for other malicious software. It tries to connect to other URLs to possibly download other malware. It also cleans up its track by deleting originally downloaded files.

Network Activity:

  • Remote Server: 50.1{REMOVED}59/.RECURSOS/
  • DNS Query:

  • smartp{REMOVED}yhoster.com
  • multip{REMOVED}omeze.com
  • arowhe{REMOVED}com
  • timbe{REMOVED}com
  • weigot{REMOVED}.com

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

GAV: Banker.WXS (Trojan)