Banker.AXW  - Троян, который следит за окнами браузера  в которых содержится текстовая строка, связанная с различной банковской информацией.

Banker.AXW  - Троян, который следит за окнами браузера в которых содержится текстовая строка, связанная с различной банковской информацией. Затем, Троян регистрирует введенную информацию в этих окнах, типа паролей и другой чувствительной информации.

Этот Троян использует несколько PHP сценариев, которые посылают собранную информацию локальному Web серверу (http://localhost/TORERO/) который никак не взаимодействует с Интернет.

Троян написан на Delphi и упакован PE_Patch и UPX. Размер  25,190  байт.

Описание от Panda Software:

Banker.AXW carries out the following actions:

  • It registers itself as BHO (Browser Helper Object).
  • It monitors:
    - Windows whose title bar contains any of the following text strings: bank, cash, clave, firma, gold, memorable, parol, porcue, secret, trans, user.
    - Windows whose title bar contains any of the text strings specified with a certain format in the file SUI.DLL.
  • It logs the keystrokes typed by the user in those windows.
  • In order to send the information it has gathered, it uses several PHP scripts:

    These scripts are hosted in the URL http://localhost/TORERO. Though this URL does not refer to any web address in the Internet, it could be changed in the future.
Infection strategy 

Banker.AXW creates the following files in the directory where it is run:

  • WINSETUP.EXE, which is the installer that creates the rest of the files and subfolders.
  • SVCHOST.DLL, which is the DLL (Dynamic Link Library) registered as BHO.
  • SUI.DLL, which is a data file for the BHO.
  • WINT.INI, which is the configuration file of the BHO.
  • Several log files in the subfolders SVACT, SVCONTR and SVSKN.


Banker.AXW creates the following entries in the Windows Registry:

  • HKEY_CLASSES_ROOT\ CLSID\ {3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}
    (Default) = LOCAL SERVICE

    HKEY_CLASSES_ROOT\ CLSID\ {3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}\ InprocServer32
    (Default) = %path%\ svchost.dll

    where %path% is the path to the directory where the library called SVCHOST.DLL is located.

    HKEY_CLASSES_ROOT\ CLSID\ {3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}\ InprocServer32
    ThreadingModel = Apartment

    HKEY_CLASSES_ROOT\ CLSID\ {3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}\ ProgID
    (Default) = svchost.Update

    HKEY_CLASSES_ROOT\ svchost.Update
    (Default) = LOCAL SERVICE

    HKEY_CLASSES_ROOT\ svchost.Update\ Clsid
    (Default) = {3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}

    HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Browser Helper Objects\ {3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}

    By creating these entries, SVCHOST.DLL is registered as BHO (Browser Helper Object).
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ 5.0\ Cache\ Extensible Cache\ MSHist012005100420051005
Means of transmission 

Banker.AXW does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.