Solutions for:
Home Products
Small Business
Medium Business
Enterprise
Vulnerabilities Threats
Home Threats Trojan-Banker Win32

Trojan-Banker.Win32.IKX

Class
Trojan-Banker
Platform
Win32

Parent class: TrojWare

Trojans are malicious programs that perform actions which are not authorized by the user: they delete, block, modify or copy data, and they disrupt the performance of computers or computer networks. Unlike viruses and worms, the threats that fall into this category are unable to make copies of themselves or self-replicate. Trojans are classified according to the type of action they perform on an infected computer.

Class: Trojan-Banker

Trojan-Banker programs are designed to steal user account data relating to online banking systems, e-payment systems and plastic card systems. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.

Read more

Platform: Win32

Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.

Description

Technical Details

It is a harmless nonmemory resident parasitic Win32-virus. It searches for Windows32 PE executable files in the current directory and infects them. The virus works under both Windows 95/98 and Windows NT.

When an infected program is run, the virus receives control and searches for Windows32 API addresses. First of all it scans KERNEL code and looks for GetProcAddress function address. When this function is located, the virus by using this address gets pointers to nine other functions: 

CreateFileA, CreateFileMappingA, MapViewOfFile, CloseHandle,
FindFirstFileA, FindNextFileA, FindClose, UnmapViewOfFile, SetEndOfFile
By using these calls the virus then searches for files and infects them. While infection the virus incorporates its code into the middle of the file to the end of first section. The virus looks for gap in the virtual image of file: if there is enough free space between first and second section in virtual image (addresses in the memory, not in disk file - the virus avoids overlapping sections on loading file into the memory), the virus shifts the rest of the file down by 1024 bytes, writes its code into this cave, modifies entry point address and fix section headers.

The virus has a bug that causes double infection. Despite this, infected files work without any problem.

The virus contains the text string that gives its name: 

MurkryIKX

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Related articles
11 July 2024
Securelist
When spear phishing met mass phishing
09 July 2024
Securelist
Developing and prioritizing a detection engineering backlog based on MITRE ATT&CK
08 July 2024
Securelist
CloudSorcerer – A new APT targeting Russian government entities
25 June 2024
Securelist
Cybersecurity in the SMB space — a growing threat
24 June 2024
Securelist
XZ backdoor: Hook analysis
18 June 2024
Securelist
Analysis of user password strength
Found an inaccuracy in the description of this vulnerability?
If you found a new Threat or Vulnerability, please, let us know by email:
newvirus@kaspersky.com
Found a new Threat or Vulnerability?
If you found a new Threat or Vulnerability, please, let us know by email:
newvirus@kaspersky.com
Solutions for
Home Products
Small Business
Medium Business
Enterprise
Select language
Sorting
Threat
Confirm changes?
Your message has been sent successfully.