A two-component Trojan consisting of an executable file and a dynamic-link library. It is distributed through the Andromeda botnet. Once the Trojan penetrates a computer, it creates HKCU\Software\AppDataLow_wu2_133 to store its data.
Then the malware copies itself to %appdata%\Ms_dir_\msvcrt.exe registering the file in HKCU\Software\Microsoft\Windows\CurrentVersion\Run\msvcrt_.
Using HKCU\Software\AppDataLow_wu2_133\installed or by comparing HKCU\Software\AppDataLow_wu2_133\path with the executable path, the Trojan checks whether it is installed on the system or not.
Then the Trojan runs its copy and injects a self-removal code into the svchost.exe process. The malware uses %temp%\log.tmp to log events.
According to a predefined template, the Trojan searches for data in the files stored on all drives of the infected computer (except for the A: drive) ignoring the following file types: .avi, .jpg, .exe, .bat, .reg, .jpeg, .ico, .html, .hlp, .php, .asp, .bmp, .mov, .mp2, .mp3, .mp4, and .wav. It encrypts all the information it manages to find and sends the data to one of the servers run by cybercriminals. Server addresses are stored in the Trojan's body.
The main objective of Trojan.PWS.Banker.64540 is to embed the library into Internet Explorer. The library performs web injections when visa.com, mastercard.com, americanexpress.com, and discovercard.com are loaded in browser windows.