Skip to content

TROJ_ZBOT.BZU

Overview

Malware type: Trojan

Aliases: No Alias Found

In the wild: Yes

Destructive: No

Language: English

Platform: Windows NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

Low

Description: 

This Trojan arrives as a file downloaded from a remote URL.

Upon execution, it drops a copy of itself in the system folder. It creates a folder with attributes System and Hidden, where it drops non-malicious files.

It creates/modifies registry entries to enable its automatic execution at system startup. This Trojan injects itself into the legitimate processes as part of its memory residency routine.

This Trojan attempts to access a Web site to download a file. The said file contains information where the Trojan can download an updated copy of itself, and where to send its stolen data. This configuration file also contains a list of targeted bank-related Web sites from which it steals information.

Note that the contents of the file, hence the list of Web sites to monitor, may change any time. Once users access any of the monitored sites, This Trojan starts logging keystrokes. This Trojan attempts to steal sensitive online banking information, such as usernames and passwords. This routine risks the exposure of the users account information, which may then lead to the unauthorized use of the stolen data.

The stolen information is saved in the file, then sent to a remote server.

For additional information about this threat, see:

Description created: Jun. 20, 2009 5:54:05 PM GMT -0800


Technical Details

File type: PE

Memory resident:  Yes

Size of malware: 69,632 Bytes

Initial samples received on: Jun 20, 2009

Details:

Infection Points

This Trojan arrives as a file downloaded from the following URL:

  • http://{BLOCKED}.{BLOCKED}.32.20/~parti3an/qvadro/ldr.exe

Installation and Autostart Technique

Upon execution, this Trojan drops a copy of itself in the system folder as twext.exe and appends garbage code to the dropped copy to avoid easy detection. It creates the folder, %System%\twain_32, with its attributes set to System and Hidden to prevent users from discovering and removing its components. This Trojan then creates the following non-malicious files:

  • %System%\twain_32\user.ds - used to save the gathered information
  • %System%\twain_32\local.ds - copy of the encrypted downloaded file

It modifies the following registry entry to enable its automatic execution at system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe; %System%\twext.exe;"

(Note: The default value data of the said registry entry is %System\Userinit.exe;.)

It also creates the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Network
UID = "(Computer name}_{Random numbers}"

Information Theft Routine

This Trojan injects itself into WINLOGON.EXE and SVCHOST.EXE as part of its memory residency routine. This Trojan attempts to access the following Web site to download a file:

  • http://{BLOCKED}.{BLOCKED}.32.20/~parti3an/qvadro/cfg.bin

The said file contains information where the Trojan can download an updated copy of itself, and where to send its stolen data. This configuration file also contains the following list of targeted bank-related Web sites from which it steals information:

  • !*-counter.*
  • !*.adserver.*
  • !*.akado.com*
  • !*.antaryon.com*
  • !*.arcor.de*
  • !*.atwola.com*
  • !*.autoscar.com.br*
  • !*.avto.net*
  • !*.awaps.net*
  • !*.aytobarcodeavila.com*
  • !*.bebo.com*
  • !*.chatcity.cc*
  • !*.chathome.biz*
  • !*.cpf-it.com*
  • !*.css
  • !*.danetport.com*
  • !*.deejay.it*
  • !*.delsud.com.ar*
  • !*.dubnatour.com*
  • !*.edu
  • !*.edu.*
  • !*.edu/*
  • !*.facebook.com*
  • !*.foros.bg*
  • !*.forum*
  • !*.gif
  • !*.gif?*
  • !*.go-joy.com*
  • !*.google.com*
  • !*.hp.com*
  • !*.jpg
  • !*.jpg?*
  • !*.js
  • !*.king.com*
  • !*.lan/*
  • !*.local/*
  • !*.love*
  • !*.maxthon.com*
  • !*.microsoft.com/*
  • !*.mobile.bg*
  • !*.mochiads.com*
  • !*.msi
  • !*.msn*
  • !*.ntvspor.net*
  • !*.orkut.co*
  • !*.pl
  • !*.pl/*
  • !*.png
  • !*.portalaz.com.br*
  • !*.ro
  • !*.ro/*
  • !*.surfaccuracy.*
  • !*.surfaccuracy.com*
  • !*.swf
  • !*.swf?*
  • !*.tff.org*
  • !*.th
  • !*.th/*
  • !*.tibia.com*
  • !*.tr
  • !*.tr/*
  • !*.trafficexplorer.*
  • !*.trafficexplorer.com*
  • !*.trueadvantage*
  • !*.tureng.com*
  • !*.tv
  • !*.tv/*
  • !*.txt
  • !*.vbox7.com*
  • !*.vn
  • !*.vn/*
  • !*.yellowpages.*
  • !*/%2fdata.php*
  • !*/*.css
  • !*/*.jpg
  • !*/TAPDKSQL/*
  • !*/VideoSense*
  • !*/ad.*
  • !*/ads.*
  • !*/ads/*
  • !*/ads2.*
  • !*/adserving.*
  • !*/adv.*
  • !*/banners.*
  • !*/banners/*
  • !*/bet*ibet888.net*
  • !*/blogs.*
  • !*/board.*
  • !*/board/*
  • !*/bsgame1.*
  • !*/chat/*
  • !*/cms/**
  • !*/counter.*
  • !*/css.*
  • !*/css/*
  • !*/dacnet/*
  • !*/editpost.php?*
  • !*/files/*
  • !*/forum*
  • !*/game.php?*
  • !*/game/*
  • !*/games*
  • !*/gate.php
  • !*/guestbook/*
  • !*/img.*
  • !*/infus.php*
  • !*/inlinemod.php?*
  • !*/liveupdate.*
  • !*/love*
  • !*/maps.*
  • !*/member_inlinemod.php?*
  • !*/my/message*
  • !*/newreply.php?*
  • !*/newthread.php?*
  • !*/phpBB*
  • !*/player_action.*
  • !*/poll.php?*
  • !*/price/*
  • !*/private.php?*
  • !*/showthread.php?*
  • !*/sindex.php*
  • !*/snatch/*
  • !*/speedtest/*
  • !*/store.*
  • !*/store/*
  • !*/tracker.*
  • !*/vb/login.php**
  • !*/vb/private.php**
  • !*/visitormessage.php?*
  • !*/wwwboard/*
  • !*/yabb/*
  • !*ContentEditor.aspx*
  • !*Exams.aspx*
  • !*abcjmp.com*
  • !*abcsearch.com*
  • !*abv.bg*
  • !*account.bigpond.com*toolbar.do
  • !*accountservices.passport.*
  • !*accountservices.passport.net*
  • !*ad9178.com*
  • !*adez.ae*
  • !*advert-network.com*
  • !*afterh.com*
  • !*afuturewithus.com*
  • !*agent.paynet.uz*
  • !*airliners.ca*
  • !*alahlitadawul.com*
  • !*alhilalclub.com*
  • !*alibaba*
  • !*all-logistica.com*
  • !*alraedclub.net*
  • !*amazon.com*
  • !*amola.org*
  • !*aol.com
  • !*api.kewego.com*
  • !*apps.facebook.com*
  • !*arabam.com*
  • !*aramex.net*
  • !*asiqler.net*
  • !*asus.com*
  • !*atdmt.com*
  • !*autoscout24.de*
  • !*aya.sy*
  • !*azercell.com*
  • !*azet.sk*
  • !*babylon.com*
  • !*bar-navig.*
  • !*battleon.com*
  • !*bearshare.com*
  • !*bebo.com*
  • !*betslip.aspx*
  • !*bgamemodule.com*
  • !*bigabiga.com*
  • !*bigflix.com*
  • !*bigmir.net*
  • !*bitefight*
  • !*blinkx.com*
  • !*blogcu.com*
  • !*blogfa.com*
  • !*blogger.com*
  • !*blogsky.com*
  • !*bobi.caucasus.net*
  • !*booksecure.net*
  • !*boonty.com*
  • !*bpn.gov*
  • !*bypassguide.org*
  • !*c1ubs.com*
  • !*camaroforless.com*
  • !*cartoonnetwork*
  • !*caucasus.net*
  • !*ch7.com*
  • !*chat*
  • !*chat.*
  • !*chatkon.com*
  • !*clarin.com*
  • !*class1casino.com*
  • !*colfarmaonline*
  • !*combats.com*
  • !*commonapp.org*
  • !*contacy.info*
  • !*controlbanesto.com*
  • !*copart.com*
  • !*counter?*
  • !*crossdomain.xml
  • !*cyworld.com*
  • !*daum.net*
  • !*depositfiles.com*
  • !*dinakaran.com*
  • !*dinamani.com*
  • !*dt00.net*
  • !*dyndns.org*
  • !*e-kolay.net*
  • !*ebb.ubb.bg*
  • !*ecltrade.com.pk
  • !*efirdeyik.com*
  • !*ekolay.net*
  • !*empas.com*
  • !*erolmarketing.org*
  • !*eventreport.asp
  • !*expedia.com*
  • !*f1.com.tw*
  • !*facebook.com
  • !*facebook.com*
  • !*fanbox.com*
  • !*favicon.*
  • !*fazenda.gov.br*
  • !*fbcdn.net*
  • !*feelway.com*
  • !*fenermarket.com*
  • !*filmp3.net*
  • !*fin.marathonbet.*
  • !*fin.marathonbet.com*
  • !*findology.com*
  • !*flickr.com*
  • !*forum.*
  • !*forum?**
  • !*fotocasa.es*
  • !*funpic.de*
  • !*gallito.com*
  • !*gamehouse.com*
  • !*games.*
  • !*gamezer.com*
  • !*gamyun.net*
  • !*gator.com*
  • !*gdx.mlb.com*
  • !*gigya.com*
  • !*google*
  • !*gracehill.com*
  • !*hakkarim.net*
  • !*heavy.com*
  • !*hepsievcil.com*
  • !*heyatim.net*
  • !*hi5.com*
  • !*highbeam.com*
  • !*hititbet.net*
  • !*hizlial.com*
  • !*homeinteriors.*
  • !*homeshop18.com*
  • !*horozgame.com*
  • !*hotbar.com*
  • !*hotel4all.info*
  • !*http://xpenace.*
  • !*ickum.aktif.com*
  • !*iforex.com*
  • !*ikariam*
  • !*ikea.com*
  • !*imp.online.net*
  • !*indiatimes.com*
  • !*infolinks.com*
  • !*jamsai.com*
  • !*jazan.org*
  • !*jhawin.com*
  • !*jigidi.com*
  • !*jotform.com*
  • !*kariyer.net*
  • !*kooora.com*
  • !*laredoute.be*
  • !*listaonline.com.br*
  • !*live.com*
  • !*livefaceonweb.com*
  • !*livefilestore.com*
  • !*livejournal.com*
  • !*liveperson.net*
  • !*losecasino2005*
  • !*lottery.*
  • !*love.*
  • !*love.rambler.ru
  • !*mail.ru/cht_data.php
  • !*maktoob.com*
  • !*mapmart.com*
  • !*match.com/*
  • !*mcafee*
  • !*mediaonenetwork.net*
  • !*megaupload.com*
  • !*memedia.com*
  • !*metacafe.com*
  • !*microsoft*
  • !*mobile.de*
  • !*mobilen.bg*
  • !*mobilen.com*
  • !*mochiads.com
  • !*mochibot.com*
  • !*moe.gov.sa*
  • !*msn.com*
  • !*mxlivemedia.com*
  • !*my-etrust.com*
  • !*myflirt.de*
  • !*mynet.com*
  • !*myspace*
  • !*myspacecdn.com*
  • !*myxer.com*
  • !*naship.info*
  • !*nasza-klasa.pl*
  • !*naukri.com*
  • !*nesine.com*
  • !*net-chef.com*
  • !*netflix.com*
  • !*netlog.com*
  • !*newsyrian*
  • !*nycodem.net*
  • !*ocget.dll*
  • !*odnoklassniki*
  • !*ogame.*
  • !*ogidogi.com*
  • !*ohost.de*
  • !*omafya.com*
  • !*oriflame.com*
  • !*otaq.com*
  • !*otomax.com*
  • !*oyunus.com*
  • !*personal.com.ar*
  • !*photobucket*
  • !*piczo.com*
  • !*playground.ru*
  • !*porn*
  • !*pricoinsa.es*
  • !*pudhari.com*
  • !*punjabijanta.com/*
  • !*quest.net*
  • !*quintura.com*
  • !*radio.com*
  • !*rambler.ru*
  • !*rapidshare*
  • !*rapmls.com*
  • !*rediff.com*
  • !*rediffcdn.net*
  • !*restaurant.com*
  • !*rightonadz.biz*
  • !*rtl.de*
  • !*ruralvia.com*
  • !*sabrik.com*
  • !*sakshi.com*
  • !*salesforce.com*
  • !*sanook.com*
  • !*santa-inbox.com*
  • !*sbobet.com/webroot/*
  • !*scanscout.com*
  • !*search.*
  • !*seekmo.com*
  • !*sharebuilder.*
  • !*sify.net*
  • !*slide.com*
  • !*soho.com.co*
  • !*speed.io*
  • !*speedtest.*
  • !*sprintip.com*
  • !*sprow2v1/scripts*
  • !*spylog.com*
  • !*spyware-browser.com*
  • !*stat.php
  • !*streamstats1.blinkx.com*
  • !*superiorads.biz*
  • !*sweetim.com*
  • !*t-mobile.com*
  • !*taleo.net*
  • !*teens*
  • !*tekurek.net*
  • !*terra.com.br*
  • !*thaibg.com*
  • !*toolbarqueries.*
  • !*topqualityads.*
  • !*topqualityads.net*
  • !*total-media.net*
  • !*translator.com*
  • !*true.com*
  • !*uamulet.com*
  • !*ukr.net*
  • !*ultimosegundo.com.br*
  • !*unicru.com*
  • !*uol.com.br*
  • !*updaterservice.*
  • !*vidlock.com*
  • !*viewit.ca*
  • !*vip600.com*
  • !*vkadre.ru*
  • !*vkontakte.ru*
  • !*vkontakte.ru/*
  • !*vspomni.ru/*
  • !*wadja.com*
  • !*walkontheweb.com*
  • !*webcomsoftware.co.uk*
  • !*wepsol.net*
  • !*westlaw.com*
  • !*wikimapia.*
  • !*wikipedia.*
  • !*wildtangent.com*
  • !*www.i-nt-e-r-n-e-t.com*
  • !*xxx*
  • !*yahoo.*
  • !*youku.com*
  • !*yourminis.com*
  • !*youtube.com*
  • !*ypf.com*
  • !*zain.com*
  • !*zango.com*
  • !.oracle.com*
  • !/foto*
  • !ftp://cust-r2*
  • !ftp://cust-r2:Alpc2p3O*
  • !http*porno*
  • !http*sex*
  • !http//*
  • !http://*.css
  • !http://*.gif
  • !http://*.jpg
  • !http://*.js
  • !http://*.microsoft.com/*
  • !http://*.mksat.net
  • !http://*.odnoklassniki.ru/*
  • !http://*.swf
  • !http://*1chat.ru/*
  • !http://*24open.ru/*
  • !http://*7128.partners.findology.com*
  • !http://*89.207.219.19:8080*
  • !http://*abcsearch.com*
  • !http://*activex.microsoft.com*
  • !http://*api.vkontakte.ru/*
  • !http://*bbpeoplemeet.com*
  • !http://*blackplanet.com*
  • !http://*board*
  • !http://*chat*
  • !http://*chat30.ru/*
  • !http://*chathome.ru/*
  • !http://*chatservice.ru/*
  • !http://*codecs.microsoft.com*
  • !http://*comedy.ru/*
  • !http://*dating.ru/*
  • !http://*forum*
  • !http://*google*
  • !http://*google.ru/*
  • !http://*hotmail*
  • !http://*i-n-t-e-r-n-e-t.com*
  • !http://*idprint.gr/*
  • !http://*kiss-chat.ru/*
  • !http://*lineager.ru/*
  • !http://*live*
  • !http://*liveinternet.ru/*
  • !http://*liveupdate*
  • !http://*love*
  • !http://*love-planet.ru/*
  • !http://*loveaccess.com*
  • !http://*loveplanet.ru/*
  • !http://*mamba.ru/*
  • !http://*maybe.ru/*
  • !http://*mcafee*
  • !http://*mcafee.com*
  • !http://*microsoft.com*
  • !http://*millidor.ru/*
  • !http://*mlove.ru/*
  • !http://*mpchat.com/*
  • !http://*msn.*
  • !http://*msn.com/*
  • !http://*music*
  • !http://*myspace.com*
  • !http://*myspace.com/*
  • !http://*nebo9.ru/*
  • !http://*odnoklasniki.ru/*
  • !http://*odnoklassniki.ru*
  • !http://*odnoklassniki.ru/*
  • !http://*onlineguru.ru/*
  • !http://*planetaxxx.ru/*
  • !http://*primosearch.com*
  • !http://*reports.hotbar.com*
  • !http://*russchat.ru/*
  • !http://*sex*
  • !http://*singlecity.ru/*
  • !http://*starquake.ru/*
  • !http://*superjob.ru/*
  • !http://*trafficexplorer.com*
  • !http://*unitybankng-webschool.com*
  • !http://*urbanchat.com/*
  • !http://*vkontakte.ru*
  • !http://*vkontakte.ru/*
  • !http://*vkontante.ru/*
  • !http://*volchat.ru/*
  • !http://*walkontheweb.com/*
  • !http://*wg1.odnoklassniki.ru/*
  • !http://*wg10.odnoklassniki.ru/*
  • !http://*wg11.odnoklassniki.ru/*
  • !http://*wg12.odnoklassniki.ru/*
  • !http://*wg13.odnoklassniki.ru/*
  • !http://*wg14.odnoklassniki.ru/*
  • !http://*wg15.odnoklassniki.ru/*
  • !http://*wg16.odnoklassniki.ru/*
  • !http://*wg17.odnoklassniki.ru/*
  • !http://*wg19.odnoklassniki.ru/*
  • !http://*wg2.odnoklassniki.ru/*
  • !http://*wg20.odnoklassniki.ru/*
  • !http://*wg3.odnoklassniki.ru/*
  • !http://*wg4.odnoklassniki.ru/*
  • !http://*wg5.odnoklassniki.ru/*
  • !http://*wg6.odnoklassniki.ru/*
  • !http://*wg7.odnoklassniki.ru/*
  • !http://*wg8.odnoklassniki.ru/*
  • !http://*wg9.odnoklassniki.ru/*
  • !http://*win-touch.com*
  • !http://*www.fedpolybidaportal.com*
  • !http://*xxx*
  • !http://*yahoo*
  • !http://*yimg.com*
  • !http://*znakomstva-sitelove.ru/*
  • !http://1*.*.*.*/*
  • !http://2*.*.*.*/*
  • !http://3*.*.*.*/*
  • !http://4*.*.*.*/*
  • !http://5*.*.*.*/*
  • !http://6*.*.*.*/*
  • !http://61.5.156.140*
  • !http://7*.*.*.*/*
  • !http://8*.*.*.*/*
  • !http://9*.*.*.*/*
  • !http://activex.microsoft.com*
  • !http://codecs.microsoft.com*
  • !http://downloads.my-etrust.com
  • !http://google.com/*
  • !http://livejournal.com/*
  • !http://love.mail.ru/*
  • !http://mail.ru/
  • !http://msg.nicovideo.jp*
  • !http://rambler.ru/
  • !http://vkontakte.ru/*
  • !http://win.mail.ru/cgi-bin/movemsg*
  • !http://www.abcjmp.com*
  • !http://www.pwonline.ru/*
  • !http://yandex.ru/
  • !https://*.css
  • !https://*.gif
  • !https://*.jpg
  • !https://*.js
  • !https://*.swf
  • !https://*.webmoney.ru
  • !https://*almubasher.com.sa*
  • !https://*board*
  • !https://*chat*
  • !https://*facebook*
  • !https://*forum*
  • !https://*hotmail.com*
  • !https://*live.com*
  • !https://*mcafee.com*
  • !https://*microsoft.com*
  • !https://*msn.*
  • !https://*music.com*
  • !https://*porno*
  • !https://*sex*
  • !https://*xxx*
  • !https://*yahoo*
  • !pop3://*
  • *..ebay.com/*
  • *.1ambassador.com/*
  • *.1natbanker.com/*
  • *.1stchoicebank.com/*
  • *.1stsource.com/*
  • *.4thebank.com/*
  • *.53.com/*
  • *.abbeynational.co.uk/*
  • *.alliance-leicester.co.uk/*
  • *.americantrust.com/*
  • *.amsouth.com/*
  • *.ank.com/*
  • *.anz.com/*
  • *.apollotrust.com/*
  • *.arknatl.com/*
  • *.arvest.com/*
  • *.arvest.com/fnr/*
  • *.arvest.com/sbt/*
  • *.arvest.com/state/*
  • *.assocbank.com/*
  • *.astoriafederal.com/*
  • *.bancaintesa.it/*
  • *.bancajaproximaempresas.com/*
  • *.bancoherrero.com/*
  • *.bancopastor.es/*
  • *.bancopopular.com/*
  • *.bancopopular.es/*
  • *.bancorpsouthonline.com/*
  • *.banesto.es/*
  • *.banif.es/*
  • *.bank.guarantygroup.com/*
  • *.bankamerica.com/*
  • *.banking.first-direct.com/*
  • *.banklagrange.com/*
  • *.banknorth.com/*
  • *.bankofamerica.com/*
  • *.bankofbotetourt.com/*
  • *.bankofcleveland.com/*
  • *.bankofengland.co.uk/*
  • *.bankofhollysprings.com/*
  • *.bankoflenawee.com/*
  • *.bankofscotland.co.uk/*
  • *.bankofthewest.com/*
  • *.bankone.com/*
  • *.bankov.com/*
  • *.bankrcb.com/*
  • *.barclays.co.uk/*
  • *.barclays.com/*
  • *.bbandt.com/*
  • *.bbvanetoffice.com/*
  • *.bcs.ru/*
  • *.bergencommercial.com/*
  • *.bgb.abcbank.com/*
  • *.bgnetplus.com/*
  • *.birmingham-midshires.co.uk/*
  • *.bkb.com/*
  • *.bkbank.com/*
  • *.bofb.com/*
  • *.bofm.com/*
  • *.boh.com/*
  • *.bokf.com/*
  • *.botwodessa.com/*
  • *.bradford-bingley.co.uk/*
  • *.bristol-west.co.uk/*
  • *.bsvnet.com/*
  • *.busey.com/*
  • *.businessbank.com/*
  • *.cabarrusbank.com/*
  • *.caixagirona.es/*
  • *.caixalaietana.es/*
  • *.caixaontinyent.es/*
  • *.caixasabadell.net/*
  • *.caixatarragona.es/*
  • *.caja-granada.es/*
  • *.cajabadajoz.es/*
  • *.cajacanarias.es/*
  • *.cajacirculo.es/*
  • *.cajadeavila.es/*
  • *.cajaen.es/*
  • *.cajalaboral.com/*
  • *.cajamadrid.es/*
  • *.cajamadridempresas.es/*
  • *.cajamurcia.es/*
  • *.cajarioja.es/*
  • *.cajasoldirecto.es/*
  • *.cajavital.es/*
  • *.calfed.com/*
  • *.capitalone.com/*
  • *.cardsonline-consumer.com/*
  • *.careermosaic.com/*
  • *.cbnm.com/*
  • *.cbonline.co.uk/*
  • *.ccm.es/*
  • *.cdb.abcbank.com/*
  • *.chase.com/*
  • *.cheltglos.co.uk/*
  • *.chevychasebank.com/*
  • *.citibank.ae/*
  • *.citibank.com/*
  • *.citibank.de/*
  • *.citizensbank.com/*
  • *.citizensbankonline.com/*
  • *.citizensbankusa.com/*
  • *.citynb.com/*
  • *.clavenet.net/*
  • *.cnb-brownwood.com/*
  • *.cnb.com/*
  • *.cnbt.com/*
  • *.cnbtxk.com/*
  • *.co-operativebank.co.uk/*
  • *.colonialbank.com/*
  • *.compubank.com/*
  • *.crestar.com/*
  • *.csbbanking.com/*
  • *.dab-bank.com/*
  • *.derbyshire.org/*
  • *.dollarbank.com/*
  • *.downeysavings.com/*
  • *.e-gold.com/*
  • *.ebank.hsbc.co.uk/*
  • *.ebay.com/*
  • *.ebrd.com/*
  • *.efirstbank.com/*
  • *.elmonte.es/*
  • *.erica.com/*
  • *.etrade.com/*
  • *.etradebank.com/*
  • *.fanb.com/*
  • *.fbopcorporation.com/*
  • *.fcbanktn.com/*
  • *.fedbank.com/*
  • *.fibancmediolanum.es/*
  • *.first-direct.com/*
  • *.firstar.com/*
  • *.firstbanks.com/*
  • *.firstbanktexas.com/*
  • *.firstcentralbank.com/*
  • *.firstcitizens.com/*
  • *.firstib.com/*
  • *.firstmerit.com/*
  • *.firstunion.com/*
  • *.firstvirginia.com/*
  • *.flagstar.com/*
  • *.fleet.com/*
  • *.fnbanson.com/*
  • *.fnbashford.com/*
  • *.fnbinternet.com/*
  • *.fnbpipe.com/*
  • *.fnbrochelle.com/*
  • *.frostbank.com/*
  • *.fsbmonahans.com/*
  • *.ftb.com/*
  • *.ftbni.com/*
  • *.fult.com/*
  • *.fx*.ru*
  • *.gbw2.it/*
  • *.gefn.com/*
  • *.glbank.com/*
  • *.greatfallsbank.com/*
  • *.gruposantander.es/*
  • *.gruppocarige.it/*
  • *.halifax-online.co.uk/*
  • *.halifax.co.uk/*
  • *.harrisbank.com/*
  • *.hbtbank.com/*
  • *.hdb.co.uk/*
  • *.hiberniabank.com/*
  • *.hometownbancorp.com/*
  • *.hsbc.co.uk/*
  • *.hsbc.com/*
  • *.hsbcgroup.com/*
  • *.hsbcib.com/*
  • *.hudsoncitysavingsbank.com/*
  • *.hudsonunitedbank.com/*
  • *.humboldtbank.com/*
  • *.huntington.com/*
  • *.ibank.internationalbanking.barclays.com/*
  • *.ibanking.banksa.com.au/*
  • *.ibanking.stgeorge.com.au/*
  • *.in-biz.it/*
  • *.indymacbank.com/*
  • *.ingdirect.com/*
  • *.internetbanking.aib.ie/*
  • *.intrustbank.com/*
  • *.irwinunion.com/*
  • *.isideonline.it/*
  • *.iwbank.it/*
  • *.jpmorgan.com/*
  • *.juniper.com/*
  • *.kasnetbank.com/*
  • *.kermitstate.com/*
  • *.keybank.com/*
  • *.landmarkbank.com/*
  • *.lasallebank.com/*
  • *.lincolnbanknc.com/*
  • *.lloydsbank.co.uk/*
  • *.lloydstsb.co.uk/*
  • *.lloydstsb.com/*
  • *.lombard.co.uk/*
  • *.longviewbank.com/*
  • *.mainlandbank.com/*
  • *.mandtbank.com/*
  • *.mbna.com/*
  • *.mellon.com/*
  • *.mercantile.net
  • *.mercebank.com/*
  • *.merceonline.com/*
  • *.mhbs.co.uk/*
  • *.michigannational.com/*
  • *.midamericabank.com/*
  • *.midlandbank.co.uk/*
  • *.midvalleybank.com/*
  • *.mkn.co.uk/*
  • *.money.yandex.ru/*
  • *.my.ebay.com/*
  • *.nationalcity.com/*
  • *.nationalinterbank.com/*
  • *.nationalinternetbank.com/*
  • *.nationet.com/*
  • *.nationsbank.com/*
  • *.nationwide.co.uk/*
  • *.natwest.co.uk/*
  • *.nbank.com/*
  • *.nbcbank.com/*
  • *.ncsecu.org
  • *.netbank.com/*
  • *.netbank.commbank.com.au/*
  • *.nfnb.abcbank.com/*
  • *.norisbank.de/*
  • *.northern-bank.co.uk/*
  • *.northerntrust.com/*
  • *.norwest.com/*
  • *.nrock.co.uk/*
  • *.nwolb.com/*
  • *.offshorebanking.barclays.com/*
  • *.ohiosavings.com/*
  • *.oldnational.com/*
  • *.onb.abcbank.com/*
  • *.online-offshore.lloydstsb.com/*
  • *.online.wamu.com/*
  • *.openbank.es/*
  • *.osmp.ru
  • *.osmp.ru/*
  • *.passweb.com/*
  • *.paymybills.com/*
  • *.paypal.com/*
  • *.pcbanker.com/*
  • *.pekaobiznes24.pl
  • *.peoples.com/*
  • *.peoplesbank.com/*
  • *.pncbank.com/*
  • *.popso.it/*
  • *.poste.it/*
  • *.postipankki.co.uk/*
  • *.premierbnk.com/*
  • *.presidential.com/*
  • *.principal.com/*
  • *.procreditbank.bg/*
  • *.psbwesthope.com/*
  • *.quiubi.it/*
  • *.rbccentura.com/*
  • *.rbos.co.uk/*
  • *.rbsdigital.com/*
  • *.rcbank.com/*
  • *.redcent.com/*
  • *.regionsbank.com/*
  • *.republicbankfl.com/*
  • *.riggsbank.com/*
  • *.rmbank.com/*
  • *.rupay.com/*
  • *.sabadellatlantico.com/*
  • *.salemfive.com/*
  • *.sbbt.com/*
  • *.sbil.co.uk/*
  • *.schwab.com/*
  • *.screenname.aol.com/_cqr/login/login*
  • *.screenname.aol.com/auth/client*
  • *.scrippsbank.com/*
  • *.sdb.abcbank.com/*
  • *.secservizi.it/*
  • *.security-state-bank.com/*
  • *.securityfirst.com/*
  • *.sfnb.com/*
  • *.skyfi.com/*
  • *.smile.co.uk/*
  • *.sovereignbank.com/*
  • *.ssnb.com/*
  • *.stanchart.com/*
  • *.starbank.com/*
  • *.statebankofhildreth.com/*
  • *.statecentralbank.com/*
  • *.statefarm.com/*
  • *.statenb.com/homebank.htm*
  • *.summitbank.com/*
  • *.suntrust.com/*
  • *.tcfbank.com/*
  • *.tdcanadatrust.com/*
  • *.texnational.com/*
  • *.thecitizensbankphila.com/*
  • *.thesouthgroup.com/*
  • *.thirdfederal.com/*
  • *.trustmark.com/*
  • *.tsb.co.uk/*
  • *.tworiversstatebank.com/*
  • *.txbank.com/*
  • *.uboc.com/*
  • *.unicaja.es/*
  • *.uno-e.com/*
  • *.us.hsbc.com/*
  • *.usaa.com/*
  • *.usaccessbank.com/*
  • *.usbank.com/*
  • *.valleynationalbank.com/*
  • *.volstatebank.com/*
  • *.wachovia.com/*
  • *.wallisbank.com/*
  • *.wamu.com/*
  • *.webmoney.ru/*
  • *.websterbank.com/*
  • *.wellsfargo.com/*
  • *.westpac.com.au/*
  • *.westpointebank.com/*
  • *.whitneybank.com/*
  • *.wilberbank.com/*
  • *.wilmingtontrust.com/*
  • *.wilsonbank.com/*
  • *.wingspanbank.com/*
  • *.woolwich.co.uk/*
  • *.worldwidebanking.com/*
  • *.ybonline.co.uk/*
  • *.zionsbank.com/*
  • *//money.yandex.ru/
  • *//money.yandex.ru/index.xml
  • */admin.php
  • */admin/*
  • */administration/*
  • */administrator/*
  • */adminka/*
  • */fx*.ru*
  • */id.rambler.ru/script/auth.cgi?mode=log*
  • */login.live.com/RST*
  • */login.live.com/ppsecure/post.srf*
  • */login.yahoo.*/config/*
  • */mid.live.com/si/login*
  • */money.yandex.ru/*
  • */passport.yandex.ru/passport?mode=aut*
  • */sbank.ru/*
  • */sp-money.yandex.ru/*
  • */spauth.yandex.ru/*
  • */vtb24.ru/my/logon/*
  • */win.mail.ru/cgi-bin/aut*
  • *1stsource*
  • *365online*
  • *53.com*
  • *KSK-Bernkastel-Wixxlich.de*
  • *KSKCochem-Zell.de*
  • *KSKKusel.de*
  • *KSKSegeberg.de*
  • *Neumarkt-direkt.de*
  • *Spk-Marne.de*
  • *abacogf.com*
  • *abaecom*
  • *abbey*
  • *abnamro*
  • *abnamro.be*
  • *abnamro.com*
  • *abnamro.dk*
  • *abnamro.nl*
  • *abnamro.se*
  • *addmoney.ru/*
  • *adig.de*
  • *advance.com.au*
  • *agrobresciano.it*
  • *ahli.com*
  • *aib.ie*
  • *akbank.com.tr*
  • *aktia.fi*
  • *albenga.com*
  • *alfabank.ru*
  • *alfredberg*
  • *alliance-leicester.co.uk*
  • *alpha.gr*
  • *altapd.it*
  • *ambro.it*
  • *americanexpress.de*
  • *amsouth*
  • *anb.com.sa*
  • *anchorsb*
  • *anhyp.be*
  • *ansmep.kiev.ua*
  • *antonveneta*
  • *antonveneta.it*
  • *anz.com*
  • *appex.ru/*
  • *arctic.net*
  • *arknatl*
  • *arvest*
  • *asbc.com*
  • *assist.ru/*
  • *astoriafederal*
  • *ate.gr*
  • *audi.com.lb*
  • *axionweb.be*
  • *azzoaglio.it*
  • *bacai.com*
  • *bacob.be*
  • *banamex.com*
  • *banc*
  • *bancajaproximaempresas.com*
  • *bancoherrero.com*
  • *bank24.ru*
  • *banking.ru**
  • *banpais.com*
  • *banregio.com*
  • *barclays.co.uk*
  • *barclays.com*
  • *basl.sk*
  • *bavaria-immo.de*
  • *bawag.com*
  • *bayernlb.de*
  • *bblfm.com*
  • *bbs-sachsen.de*
  • *bbvanetoffice.com*
  • *bcee.lu*
  • *bcs.ru*
  • *bcv.ch*
  • *bdk.lublin*
  • *bdni.com*
  • *bekbnet*
  • *ben.com.pl*
  • *bes.pt*
  • *bestcredits.ru/*
  • *bfg.de*
  • *bga.it*
  • *bgl.ch*
  • *bgl.lu*
  • *bgnetplus.com*
  • *bhbauer.de*
  • *bi.go.id*
  • *biemmepro.it*
  • *bii.co.id*
  • *bil.lu*
  • *bipop.it*
  • *birel.ro*
  • *bischofsheimer-vb.de*
  • *bital.com*
  • *bkb.ch*
  • *bkkallincl.co.at*
  • *bkm.de*
  • *bks.at*
  • *bmo.com*
  • *bng.nl*
  • *bni.co.id*
  • *bnl.it*
  • *bnm.gov*
  • *bnu.pt*
  • *bnz.co.nz*
  • *bodan.net*
  • *bof.fi*
  • *bofb.com*
  • *bofm.com*
  • *boh.com*
  • *boram.co*
  • *borkenervb.de*
  • *bph.pl*
  • *bpi.com.ph*
  • *bpi.it*
  • *bpifb.com.ph*
  • *bsk.com.pl*
  • *bsp.gov.ph*
  • *bsp.it*
  • *bsvnet*
  • *bta.net*
  • *btal.com*
  • *business.co.uk*
  • *byconline*
  • *byro.ru/*
  • *cajalaboral.com*
  • *cardsonline-consumer.com*
  • *cassamarca*
  • *cbc.gov.tw*
  • *cbe.be*
  • *cbk.co*
  • *cbonline.co.uk*
  • *ccm.es*
  • *cdateacherscu*
  • *cgd.pt*
  • *cger.be*
  • *chase*
  • *chase.com*
  • *cheltglos*
  • *cibc.com*
  • *cisf.pt*
  • *citibank.ae*
  • *citibank.com*
  • *citibank.de*
  • *citibank.ru*
  • *citic*
  • *citicorp*
  • *citizensbankonline.com*
  • *citizenstricounty*
  • *citynb*
  • *clariden.com*
  • *clavenet.net*
  • *client.uralsibbank.ru*
  • *clio.it*
  • *cmbchina*
  • *cnb.com*
  • *cnb.cz*
  • *cnbv.gob.mx*
  • *co-operativebank.co.uk*
  • *cogeba.ch*
  • *colonial*
  • *combats.ru*
  • *comdirect*
  • *comdirect.de*
  • *comerica*
  • *commerceonline*
  • *commonwealthcu*
  • *compassweb*
  • *concord-ag.de*
  • *coopcb*
  • *countrywide*
  • *cpanel*
  • *cpp.pt*
  • *cracantu.it*
  • *cracastelgoffredo*
  • *crbra.it*
  • *crbvfbcc*
  • *crcarpi.it*
  • *crcento.it*
  • *crciv.it*
  • *creberg.it*
  • *credem.it*
  • *crediop.it*
  • *credit*
  • *credit.it*
  • *crestar*
  • *creval.it*
  • *crimola.it*
  • *crsbc.it*
  • *crtn.it*
  • *crtrieste.it*
  • *crup.it*
  • *ctn.independent*
  • *cuwebs.com*
  • *cyberplat.ru/*
  • *cymagic.com*
  • *dab-bank.com*
  • *datadiv.it*
  • *datamonitor.com*
  • *db-nm.si*
  • *dbresearch.com*
  • *ddb.dk*
  • *deka.de*
  • *deltakey.ru/*
  • *demiryatirim*
  • *depo.ee*
  • *desjardins*
  • *diel.it*
  • *digiseller.ru/*
  • *diraba.de*
  • *direct.yandex.ru/*
  • *dit.de*
  • *dlb.bkc.lv*
  • *dmbos.com.pl*
  • *dnb.no*
  • *dresdner-rb.kontodirekt.de*
  • *e-bullion*
  • *e-gold*
  • *e-port.ru*
  • *eastmancu*
  • *easypay.by*
  • *ebay.com/*
  • *ebrd.com*
  • *ebs.ie*
  • *elecsnet.ru/*
  • *elmonte.es*
  • *emoney.al.ru/*
  • *emoney.kg/*
  • *enterprise.net*
  • *es.ksk.de*
  • *esb.ee*
  • *essenhyp.de*
  • *etba.gr*
  • *ethniki.gr*
  • *ets.it*
  • *eunet.sk*
  • *eurofed*
  • *evoserve*
  • *exim.com*
  • *express-systems.ru/*
  • *eyp.ee*
  • *falkenbergs-sparb*
  • *fanb.com*
  • *fbbh.com*
  • *fbopcorporation*
  • *febtc.com*
  • *fibancmediolanum.es*
  • *fiducia.de*
  • *finansbank.com.tr*
  • *finnat.it*
  • *first-direct.com*
  • *firstar*
  • *firstcitizens*
  • *firstdirect*
  • *firstfd*
  • *firstib*
  • *firstmerit*
  • *firstunion*
  • *firstvirginia*
  • *fjsb.com*
  • *fkb.ch*
  • *flagstar*
  • *fmb-online*
  • *fnbashford*
  • *fnbdurango*
  • *fnbinternet*
  • *fnbmc*
  • *fnbnet*
  • *fnbrockies*
  • *fnbs.ie*
  • *fnbtexas*
  • *fokus.no*
  • *forex*
  • *forex*.ru*
  • *fortis*
  • *fraspa1822.de*
  • *freecash.ru/*
  • *friba.nl*
  • *friuladria.it*
  • *fsnb.net*
  • *ftb.com*
  • *fuib.com*
  • *fult*
  • *gallinat.de*
  • *gbw2.it*
  • *gemeentekrediet*
  • *generale.be*
  • *gfnorte.com*
  • *gkb.de*
  • *google.*/LoginAction2?service=*
  • *google.*/accounts/*
  • *grupo.bfe*
  • *gruposantander*
  • *gruposantander.es*
  • *gruppocarige.it*
  • *guh.de*
  • *halifax*
  • *halifax-online.co.uk*
  • *halkbank.com.tr*
  • *hamburglb.de*
  • *hangseng*
  • *hansa*
  • *hba.gr*
  • *hbl.lv*
  • *heart.coara*
  • *heidenheimer-voba.de*
  • *heimstaxx.de*
  • *hellwegeranzeiger.de*
  • *heroeswm.ru*
  • *hh-bergedorf.de*
  • *hkbea*
  • *hoxxinger.com*
  • *hsbc*
  • *hsbc.co.uk*
  • *huntington*
  • *hypo-alpe-adria*
  • *hypotirol*
  • *iba.com*
  • *iba.com.hk*
  • *ibank.ru*
  • *icatu*
  • *icbc.com*
  • *icbc.com.tw*
  • *icbpi.it*
  • *icicibank.co.in*
  • *iconz.co.nz*
  • *idsonline*
  • *ieb.hu*
  • *iic.or.jp*
  • *ikb.de*
  • *ilirija.hr*
  • *in-biz.it*
  • *inbursa.com*
  • *infonet.lecce*
  • *infosel.com*
  • *ingdirect*
  • *innet.net*
  • *insinger.com*
  • *inteligo.com.pl*
  • *intellibank.ru*
  • *interface-management*
  • *internetbanking.bancaintesa.it*
  • *intway.biz/*
  • *invermexico.com*
  • *ipacri.it*
  • *iper.net*
  • *ipko.pl*
  • *ippa.be*
  • *ippa.lu*
  • *ireland.iol.ie*
  • *is.co.za*
  • *isbank.com.tr*
  • *isdb.org*
  • *isideonline.it*
  • *it.ca-indosuez*
  • *iwbank.it*
  • *ixe.com.mx*
  • *jaring.my*
  • *jri.co.jp*
  • *juliusbaer*
  • *kapatel.gr*
  • *kappa.ro*
  • *kaptol.hr*
  • *kas-associatie*
  • *kasse
  • *kbbmb.ru/*
  • *kbl.lu*
  • *kfb.co*
  • *kioskpay*
  • *koba.cz*
  • *kol.ie*
  • *ksk-alzey.de*
  • *ksk-bernburg.de*
  • *ksk-fds.de*
  • *ksk-hannover.de*
  • *ksk-koeln.de*
  • *ksk-lb.de*
  • *ksk-mbteg.de*
  • *ksk-stade.de*
  • *ksk-tuebingen.de*
  • *ksk.bitburg.de*
  • *ksk.hildesheim.com*
  • *kskbb.de*
  • *kskcalw.de*
  • *kskwd.de*
  • *kutxa.net*
  • *la2.ru*
  • *laan-spar*
  • *lain.bkc*
  • *lanet.lv*
  • *latib.org.lv*
  • *lavalsabbina.it*
  • *lb-kiel.de*
  • *lb-sbv.si*
  • *lbb.de*
  • *lbs-baden.de*
  • *lbs-hamburg.de*
  • *lbs-ht.de*
  • *lbs-wuerxx.de*
  • *leonberger.de*
  • *leonia.fi*
  • *lhb.de*
  • *light.webmoney.ru*
  • *light.webmoney.ru/*
  • *lloyds*
  • *lloydstsb.co.uk*
  • *lloydstsb.com*
  • *login.osmp.ru*
  • *lrp.de*
  • *ltcb.co.jp*
  • *lzo.com*
  • *macquarie*
  • *maffei.de*
  • *mail.yandex.ru/*
  • *mandatum.fi*
  • *marathonbet.com*
  • *mas.gov.sg*
  • *mayo-ireland*
  • *mbanx*
  • *mbczh.ch*
  • *mbna*
  • *mbook.com*
  • *mbres.it*
  • *mcbank.ru/*
  • *mdmbank.com*
  • *mdmbank.ru*
  • *meradom.ru/*
  • *mercantile*
  • *merita.fi*
  • *metway*
  • *mfc.it*
  • *mhbs.co*
  • *midfirstcu*
  • *mkb.hu*
  • *mkn.co*
  • *mobw.ru*
  • *moneta.ru/*
  • *money*
  • *money.mail.ru*
  • *money.yandex.ru*
  • *money.yandex.ru/*
  • *moneymail.ru*
  • *mplategi.ru/*
  • *multi-kassa.ru/*
  • *nacf.co*
  • *naspa.de*
  • *national.com.au*
  • *nationalcity.com*
  • *nationet.com*
  • *nationwide*
  • *natwest*
  • *navyfcu*
  • *nazarenecu*
  • *nb.se*
  • *nbctkb.it*
  • *nbh.hr*
  • *nboc.com*
  • *nbs.co*
  • *nbs.co.za*
  • *nbs.sk*
  • *ncsecu*
  • *netsystem.it*
  • *netway.at*
  • *nexxvik.no*
  • *nkbm.si*
  • *nordlb.de*
  • *norisbank.de*
  • *novit.no*
  • *nrock.co*
  • *ns.bcn.servicom.es*
  • *ntb.co.th*
  • *nwolb.com*
  • *obb.com*
  • *oberdrautal-weissensee*
  • *ocbc.com*
  • *oceanfederal*
  • *oeb.se*
  • *oekb.co.at*
  • *oenb.co.at*
  • *olb.de*
  • *oldnational*
  • *onecore*
  • *open.hr*
  • *openbank.es*
  • *optiva*
  • *osgv.de*
  • *oslonexx.no*
  • *osmanli*
  • *osmp.ua*
  • *osuuspankki.fi*
  • *pacecu.com*
  • *paffrather.de*
  • *paginegialle.it*
  • *parexnet*
  • *paribas*
  • *paritate*
  • *partner.grandcasino.ru/
  • *patria-finance*
  • *pay.ru/*
  • *payment.epos.ru/*
  • *payment.ru*
  • *paymentsystems.ru/*
  • *paypal.com*
  • *pbks.pl*
  • *pbz.hr*
  • *pcib.com*
  • *pecunix*
  • *pekao.com.pl*
  • *penfed*
  • *pictet.com*
  • *pkobp.pl*
  • *platix.ru/*
  • *pluto.ntb*
  • *pomi.fi*
  • *popcrema.it*
  • *poplodi.it*
  • *popso.it*
  • *popvi.it*
  • *popvoba.it*
  • *preschoicefinancial*
  • *procreditbank.bg*
  • *providian*
  • *psbwesthope*
  • *psk.co.at*
  • *pwonline.ru*
  • *quiubi.it*
  • *raiba*
  • *raibim*
  • *raiffeisen*
  • *rapida.ru/*
  • *rbccentura*
  • *rberding.de*
  • *rbgarrel.de*
  • *rbirrel.com*
  • *rbk-haag-gars.de*
  • *rbkmoney.ru*
  • *rbos.co*
  • *rbs.co*
  • *rbs.co.at*
  • *rbstpoelten.at*
  • *rbu.vernet*
  • *rediff.com/cgi-bin/login.cgi*
  • *rfbk-roxxal-burgrieden.rwg.de*
  • *rietumu*
  • *rkb.lv*
  • *rlb-tirol.at*
  • *rmb.co.za*
  • *romagna.com*
  • *rool.it*
  • *rupay*
  • *rupay.com*
  • *ruralerovereto*
  • *rvb-fuerth.de*
  • *rvb-varel-zetel.de*
  • *rvbfaktumdirekt.de*
  • *rzalgund.it*
  • *rzb.at*
  • *rzb.co*
  • *s-s-b*
  • *sabadellatlantico.com*
  • *sachsenlb.de*
  • *sanpaolo.it*
  • *santander.de*
  • *saradar.com*
  • *saving*
  • *sb-koper.si*
  • *sbbgroup.com*
  • *sbil.co*
  • *scb.co.th*
  • *schwab*
  • *schwaebisch-hall.de*
  • *sda.dk*
  • *secservizi.it*
  • *securityfirst*
  • *sella.it*
  • *servitia*
  • *sfnb.com*
  • *shinhan*
  • *siamcity.co.th*
  • *signet*
  • *ska.com*
  • *skb.si*
  • *skyfi*
  • *slsp.sk*
  • *smile.co.uk*
  • *smn.no*
  • *smw.at*
  • *sn.no*
  • *snet.de*
  • *socgen.de*
  • *sol.no*
  • *spabe.ch*
  • *sparda-hh*
  • *sparda-hh.de*
  • *sparda.de*
  • *sparnord*
  • *sphere.ad.jp*
  • *spk-bre-luxembourg*
  • *spk-burgenlandkreis.de*
  • *spk-celle.de*
  • *spk-kreis-ploen.de*
  • *spk-scheessel.de*
  • *spk-stp.at*
  • *spkbz.it*
  • *sskba.de*
  • *sskduesseldorf.de*
  • *sskm.de*
  • *ssnb.com*
  • *stadshypotek*
  • *stanchart*
  • *starone*
  • *statefarm*
  • *stgeorge*
  • *storebrand.no*
  • *suedboden.de*
  • *suedwestlb.de*
  • *sun.donrizzo*
  • *suntrust.com*
  • *swconsult*
  • *swn-online.de*
  • *tavria.crimea*
  • *tcmb.gov*
  • *tcsbank.ru*
  • *technet.sg*
  • *telebank.ru*
  • *telecom.at*
  • *texnational*
  • *tgkb.ch*
  • *thesouthgroup*
  • *thirdfederal*
  • *tinet.ch*
  • *tirol.com*
  • *tispa.at*
  • *tkb.lv*
  • *tke.gr*
  • *toko.dnepr*
  • *tp.ee*
  • *trade*
  • *transamerica*
  • *transat*
  • *trust*
  • *trygghansa*
  • *tsb.co*
  • *txloanstar*
  • *uboc.com*
  • *ubs.com*
  • *ucb.crimea*
  • *ucpb.com*
  • *uhsbc.com/*
  • *unicaja.es*
  • *unikassa.ru/*
  • *union.cz*
  • *uno-e.com*
  • *uob.com.sg*
  • *uralsibbank.ru*
  • *urkb.ch*
  • *usaa*
  • *vakifbank.com.tr*
  • *val.it*
  • *vanguard.ro*
  • *vanlanschot*
  • *vb-ammerland.de*
  • *vb-badfriedrichshall.de*
  • *vb-beckum.de*
  • *vb-bocholt.de*
  • *vb-brilon.de*
  • *vb-bruchsal.de*
  • *vb-eppingen.de*
  • *vb-erzgebirge.de*
  • *vb-greven.de*
  • *vb-hagen.de*
  • *vb-hamm.de*
  • *vb-hohenlohe.de*
  • *vb-homburg.de*
  • *vb-lahr.de*
  • *vb-marl-recklinghausen.de*
  • *vb-neuss.de*
  • *vb-paderborn.de*
  • *vb-reutlingen.de*
  • *vb-rheda-wd.de*
  • *vb-rhein-wupper.de*
  • *vb-spiesen-elversberg.de*
  • *vb-wickede.de*
  • *vb-wolfratshausen.de*
  • *vbhan.de*
  • *vbk-du.de*
  • *vbketsch.de*
  • *vblehrte.genonord.de*
  • *vbsauerland.de*
  • *vbstadthagen.genonord.de*
  • *vbu.wgv.de*
  • *vbvorsfelde.de*
  • *vmoney.ru/*
  • *voba-bensheim.de*
  • *voba-bes-boe.de*
  • *voba-brv.de*
  • *voba-gg.de*
  • *voba-guenzburg.de*
  • *voba-karlsruhe.de*
  • *voba-main-taunus.de*
  • *voba-mm.de*
  • *voba-ober-moerlen.de*
  • *voba-ro.de*
  • *vobaloe.de*
  • *vol.cz*
  • *vol.it*
  • *vontobel.ch*
  • *vtb24.ru*
  • *vub.sk*
  • *w1.ru*
  • *wachovia*
  • *wachovia.com*
  • *wamu*
  • *wamu.com*
  • *wasa.se*
  • *wbk.com.pl*
  • *web.tin.it*
  • *webmoney.ru*
  • *webnet.ie*
  • *webzonecom*
  • *weinviertler-spk.at*
  • *wellsfargo*
  • *wellsfargo.com*
  • *westpac.com.au*
  • *wisedb.co*
  • *wohnbausparen*
  • *wpf.at*
  • *wuestenrot.de*
  • *www.bcs.ru/
  • *www.gu.net*
  • *www.wp.com*
  • *xnet.it*
  • *xplat.ru/*
  • *yapikredi.com.tr*
  • *ybonline.co.uk*
  • *yf-kr.edu.pl*
  • *ykb.com*
  • *zenit.ru*
  • *zhkb.ch*
  • *ziraatbank.com.tr*
  • *zubsb.ru*
  • *zvb.genonord.de*
  • @*.*banif.pt./*
  • @*.*barclays.pt/*
  • @*.*bpinet.pt/*
  • @*.*cgd.pt/*
  • @*.*montepio.pt/*
  • @*.*santander.es*
  • @*.*santandertotta.pt/*
  • @*.abbeyinternational.com/step2_login.asp?*=forward
  • @*.ardil.bancogallego.es/servlet/*
  • @*.banesnet.banesto.es/*
  • @*.bankinter.com/*
  • @*.bbva.es/*
  • @*.bes.pt/*
  • @*.bnpparibas.net/banque/portail/particulier/HomeConnexion*
  • @*.bv-i.bancodevalencia.es/*
  • @*.caixagirona.es/*/INclient_2030
  • @*.caixalaietana.es/*/INclient_2042
  • @*.caixanova.es/*
  • @*.caixanova.es/cgi-bin/INclient_*
  • @*.caixaontinyent.es/*/INclient_2045*
  • @*.caixatarragona.es/*
  • @*.caixatarragona.es/cat/sec_1/*
  • @*.cajabadajoz.*
  • @*.cajabadajoz.es/*/INclient_6010
  • @*.cajacanarias.*
  • @*.cajacanarias.es/*/INclient_6065*
  • @*.cajadeavila.es/*
  • @*.cajadeavila.es/cgi-bin/*
  • @*.cajaextremadura.es/*/INclient_3099
  • @*.cajarioja.es/*
  • @*.cajasoldirecto.es/*
  • @*.cajasur.es/*/INclient_4024
  • @*.cajavital.es/*
  • @*.cajavital.es/Appserver/*
  • @*.ccm.es/*
  • @*.ccm.es/*/INclient_6105
  • @*.ccm.es/activa24/internet/
  • @*.chebanca.it/wps/portal/Istituzionale/login
  • @*.clavenet.com
  • @*.clavenet.net/*
  • @*.clavenet.net/7054/index.htm*
  • @*.clavenet.net/cgi-bin/*
  • @*.dataaction.com.au/DAIB/*?Header_Num=123
  • @*.dataaction.com.au/DAIB/*?Header_Num=163
  • @*.e-gold.com/*
  • @*.empresas.gruposantander.es/*
  • @*.ingdirect.es*
  • @*.kutxa.net*
  • @*.netteller.com.au/*/ntv*.asp?WCI=bpayV2post&typ=BPDE
  • @*.osmp.ru/*
  • @*.ruralvia.com/*
  • @*.sanostra.es/*
  • @*.ssl.bsk.com.pl/bskonl/login.ac*
  • @*.vr-networld-ebanking.de/index.php?RZKZ=*&RZBK=*
  • @*/*cajasoldirecto.es/*
  • @*/*citibank.es/*/usersignon.do
  • @*/*new.egg.com/*
  • @*/*quiubi.it/*
  • @*/*sabadellatlantico.com*
  • @*/abbey.com/*
  • @*/abbeynational.co.uk/*
  • @*/acikdeniz.denizbank.com/CustomLogin/*
  • @*/activa24.ccm.es/*/inicio_identificacion.action*
  • @*/agent.e-port.ru/*
  • @*/anbusiness.com/*
  • @*/areasegura.banif.es/bog/bogbsn*
  • @*/atl.osmp.*/*
  • @*/atl.osmp.ru/*
  • @*/banca.cajaen.es/*
  • @*/banca.cajaguadalajara.biz/ISMC/Guadalajara/INclient.jsp*
  • @*/bankasya.com.tr/pls/asya/*
  • @*/bankofamerica.com/*
  • @*/bankofscotland.co.uk/*
  • @*/basecam.cam.es*
  • @*/businessaccess.citibank.citigroup.com/*SignOn.do
  • @*/caionline.cai.es/*
  • @*/caixagestion.caixagalicia.es/*/INclient_2091
  • @*/capitalcity.combats.ru/enter.pl*
  • @*/capitalone.co.uk/*
  • @*/carnet.cajarioja.es/banca3/*
  • @*/cbonline.co.uk/*
  • @*/centrum24.pl/*
  • @*/citibank.ru/signin/UnameSignonCookie.do/*
  • @*/citibusinessonline.da-us.citibank.com/*SignOn.do
  • @*/client.uralsibbank.ru/login.asp/*
  • @*/cuviewpoint.net/*/login.asp*
  • @*/daib.dataaction.com.au/DAIB/*?Header_Num=23
  • @*/e-gold.com/*
  • @*/e-plat.mdmbank.com/*
  • @*/e-port.ru/*
  • @*/ebranch.easystreet.com.au/mvpescu/Login.*
  • @*/factor2.inetbank.net.au/*
  • @*/fairbanks.co.uk/*
  • @*/finanzportal.fiducia.de/*?rzid=*&rzbk=*
  • @*/hbnet*.cedacri.it/*/AccessHB?CreateDocument&Login=1
  • @*/hercules.halkbank.com.tr/Turkce/CertRequest/*
  • @*/hsbc.co.uk/*
  • @*/i.bank24.ru/login/*
  • @*/ib.gatewaycu.com.au/daib/*?Header_Num=254
  • @*/ib.tcsbank.ru/*
  • @*/ibank.bluestone.com.au/login.aspx*
  • @*/ibank.mmbank.ru/*
  • @*/ibank.ru/*
  • @*/iblogin.com/*
  • @*/intelvia.cajamurcia.es/*/INclient_2043
  • @*/intelvia.cajamurcia.es/2043/entrada/*
  • @*/internet724.vakifbank.com.tr/vb99/*
  • @*/internetbanking.gad.de/*/portal?bankid=*
  • @*/internetsube.akbank.com.tr/*
  • @*/internetsube.yapikredi.com.tr/myapp/changeLocale.do*
  • @*/lloyds.com/*
  • @*/lloydstsb.co.uk/*
  • @*/login.osmp.*/*
  • @*/login.osmp.ru/*
  • @*/logitelnet.socgen.com/*
  • @*/logon.vinea.es/*
  • @*/ms.intellibank.ru/*
  • @*/mvp1.sccu.com.au/*/Login.asp
  • @*/myonlineservices.empirebank.com/ISRVWebApplication/*
  • @*/net.dataaction.com.au/*/ntv4*.asp?wci=entry
  • @*/net.kutxa.net/jkn_opkn/*
  • @*/netbank.communityfirst.com.au/*/Login.asp
  • @*/netbank.qpcu.org.au/*/Login.asp
  • @*/netbank.selectcu.com.au/*/login.asp*
  • @*/netdirect.maitlandmutual.com.au/Login.asp
  • @*/nettel*.com.au/*/ntv*.asp?wci=entry
  • @*/nwolb.com/*
  • @*/oi.cajamadrid.es/CajaMadrid/oi/pt_oi/Login/login
  • @*/oie.cajamadridempresas.es/*/login_oie_1
  • @*/olb2.nationet.com/signon/SinglePageSignon_wp1.asp*
  • @*/online.westpac.com.au/esis/Login/*
  • @*/online.westpac.com.au/pkmslogin.form
  • @*/online.zenit.ru/ibgate.nsf/*
  • @*/payment_cc.php
  • @*/pc-easynet.policecredit.com.au/*/Login.asp
  • @*/permonline.newcastlepermanent.com.au/IB/NPBSPersonal
  • @*/pncs.com.au/*
  • @*/portal.osmp.ru/*
  • @*/royalbank.com/*
  • @*/sberweb.zubsb.ru/*
  • @*/secure.ingdirect.com/*
  • @*/service.cyberplat.ru/*
  • @*/servizi.bpintra.it*
  • @*/ssl.bsk.com.pl/bskonl/login.ac
  • @*/teleingenieros.caja-ingenieros.es/cgi-bin/*
  • @*/telematic.caixamanlleu.es/*/acceso.jsp
  • @*/ticari.yapikredi.com.tr/ifcapp/*
  • @*/vtb24.ru/my/logon/*
  • @*/www.golden1.com/secure/auth/*
  • @*/www.gruposantander.es/bog/sbi
  • @*/www.ingdirect.es/WebTransactional/Transactional/*
  • @*/www.pcunet2.com.au/*/Login.asp
  • @*/www.skybranch.com/hbnet/login/login.aspx*
  • @*/www.teacherscreditunion.com.au/*/Login.asp
  • @*/www.unicaja.es*
  • @*/www.webank.it/*
  • @*/www1.ibercajadirecto.com/ibercaja/asp/Login.asp
  • @*/www2.bancopopular.es/Bpemotor
  • @*/wwws.sanostra.es/*/INclient_2051*
  • @*/ybonline.co.uk/*
  • @*1stsource*
  • @*365online*
  • @*53.com*
  • @*DGHYP.de*
  • @*KSK-Bernkastel-Wixxlich.de*
  • @*KSKCochem-Zell.de*
  • @*KSKKusel.de*
  • @*KSKSegeberg.de*
  • @*Neumarkt-direkt.de*
  • @*Spk-Marne.de*
  • @*abacogf.com*
  • @*abaecom*
  • @*abbey*
  • @*abnamro*
  • @*abnamro.be*
  • @*abnamro.com*
  • @*abnamro.dk*
  • @*abnamro.nl*
  • @*abnamro.se*
  • @*accu.com.au*
  • @*adcu.com.au*
  • @*adelaidebank.com.au*
  • @*adig.de*
  • @*advance.com.au*
  • @*agrobresciano.it*
  • @*ahli.com*
  • @*aib.ie*
  • @*aktia.fi*
  • @*albenga.com*
  • @*alfredberg*
  • @*alpha.gr*
  • @*altapd.it*
  • @*ambro.it*
  • @*americanexpress.de*
  • @*amsouth*
  • @*anb.com.sa*
  • @*anchorsb*
  • @*anhyp.be*
  • @*antonveneta*
  • @*antonveneta.it*
  • @*anz.com*
  • @*arctic.net*
  • @*arknatl*
  • @*arvest*
  • @*asbc.com*
  • @*astoriafederal*
  • @*ate.gr*
  • @*audi.com.lb*
  • @*axionweb.be*
  • @*azzoaglio.it*
  • @*bacai.com*
  • @*bacob.be*
  • @*banamex.com*
  • @*banc*
  • @*comerica*
  • @*commerceonline*
  • @*e-bullion*
  • @*e-gold*
  • @*forex*
  • @*hbl.lv*
  • @*kskbb.de*
  • @*kskcalw.de*
  • @*kskwd.de*
  • @*kutxa.net/*
  • @*laan-spar*
  • @*lain.bkc*
  • @*lanet.lv*
  • @*latib.org.lv*
  • @*lavalsabbina.it*
  • @*lb-kiel.de*
  • @*lb-sbv.si*
  • @*lbb.de*
  • @*lbs-baden.de*
  • @*lbs-hamburg.de*
  • @*lbs-ht.de*
  • @*lbs-wuerxx.de*
  • @*leonberger.de*
  • @*leonia.fi*
  • @*lhb.de*
  • @*lloyds*
  • @*login.osmp.ru*
  • @*membersequitybank*
  • @*mercantile*
  • @*merita.fi*
  • @*metway*
  • @*mfc.it*
  • @*mhbs.co*
  • @*midfirstcu*
  • @*mkb.hu*
  • @*mkn.co*
  • @*mobw.ru*
  • @*money*
  • @*online.coastline.com.au/DAIB/*?Header_Num=313
  • @*online.hbs.net.au*
  • @*online.mecu.com.au/DAIB/*?Header_Num=53
  • @*online.qantascu.com.au/Daib/*?Header_Num=73
  • @*online.savingsloans.com.au/daib/*?Header_Num=204
  • @*rbos.co*
  • @*rbs.co*
  • @*rbs.co.at*
  • @*rbstpoelten.at*
  • @*rbu.vernet*
  • @*rfbk-roxxal-burgrieden.rwg.de*
  • @*rietumu*
  • @*rkb.lv*
  • @*rlb-tirol.at*
  • @*rmb.co.za*
  • @*romagna.com*
  • @*rool.it*
  • @*ruralerovereto*
  • @*rvb-fuerth.de*
  • @*rvb-varel-zetel.de*
  • @*rvbfaktumdirekt.de*
  • @*rzalgund.it*
  • @*rzb.at*
  • @*rzb.co*
  • @*s-s-b*
  • @*s://*.samba.com/*/HTML/*
  • @*s://*.ziraatbank.com.tr/*
  • @*s://*bbva.es/*
  • @*s://*credit-agricole.fr/*
  • @*s://*finansbank.com*
  • @*s://*lacaixa.es/*
  • @*s://*lanxtr.org*
  • @*s://*lanxtra.com*
  • @*s://*us.hsbc.com*
  • @*s://brokerjet.ecetra.com*
  • @*s://brokerjet.ecetra.com/*
  • @*s://mobile.alfabank.ru*
  • @*saradar.com*
  • @*saving*
  • @*savingsloans.com.au*
  • @*sb-koper.si*
  • @*sbbgroup.com*
  • @*sbil.co*
  • @*scb.co.th*
  • @*schwab*
  • @*schwaebisch-hall.de*
  • @*sda.dk*
  • @*secure.mystate.com.au*
  • @*securityfirst*
  • @*sella.it*
  • @*servitia*
  • @*sfnb.com*
  • @*shinhan*
  • @*siamcity.co.th*
  • @*signet*
  • @*ska.com*
  • @*skb.si*
  • @*skyfi*
  • @*slsp.sk*
  • @*smn.no*
  • @*smw.at*
  • @*sn.no*
  • @*snet.de*
  • @*socgen.de*
  • @*sol.no*
  • @*sparda-hh*
  • @*sparda-hh.de*
  • @*sparda.de*
  • @*sparnord*
  • @*sphere.ad.jp*
  • @*spk-bre-luxembourg*
  • @*spk-burgenlandkreis.de*
  • @*spk-celle.de*
  • @*spk-kreis-ploen.de*
  • @*spk-scheessel.de*
  • @*spk-stp.at*
  • @*spkbz.it*
  • @*sskba.de*
  • @*sskduesseldorf.de*
  • @*sskm.de*
  • @*ssnb.com*
  • @*stadshypotek*
  • @*stanchart*
  • @*starone*
  • @*statefarm*
  • @*stgeorge*
  • @*storebrand.no*
  • @*suedboden.de*
  • @*suedwestlb.de*
  • @*sun.donrizzo*
  • @*swconsult*
  • @*swn-online.de*
  • @*tavria.crimea*
  • @*tcmb.gov*
  • @*technet.sg*
  • @*telebank.ru/web/front/login.x/*
  • @*telecom.at*
  • @*texnational*
  • @*tgkb.ch*
  • @*thesouthgroup*
  • @*thirdfederal*
  • @*tinet.ch*
  • @*tirol.com*
  • @*tispa.at*
  • @*tkb.lv*
  • @*tke.gr*
  • @*toko.dnepr*
  • @*tp.ee*
  • @*trade*
  • @*transamerica*
  • @*transat*
  • @*trust*
  • @*trygghansa*
  • @*tsb.co*
  • @*tsw.com.au*
  • @*txloanstar*
  • @*uboc.com*
  • @*ubs.com*
  • @*ucb.crimea*
  • @*ucpb.com*
  • @*usaa*
  • @*vanlanschot*
  • @*vb-ammerland.de*
  • @*vb-badfriedrichshall.de*
  • @*vb-beckum.de*
  • @*vb-bocholt.de*
  • @*vb-brilon.de*
  • @*vb-bruchsal.de*
  • @*vb-eppingen.de*
  • @*vb-erzgebirge.de*
  • @*vb-greven.de*
  • @*vb-hagen.de*
  • @*vb-hamm.de*
  • @*vb-hohenlohe.de*
  • @*vb-homburg.de*
  • @*vb-lahr.de*
  • @*vb-marl-recklinghausen.de*
  • @*vb-neuss.de*
  • @*vb-paderborn.de*
  • @*vb-reutlingen.de*
  • @*vb-rheda-wd.de*
  • @*vb-rhein-wupper.de*
  • @*vb-spiesen-elversberg.de*
  • @*vb-wickede.de*
  • @*vb-wolfratshausen.de*
  • @*vbhan.de*
  • @*vbk-du.de*
  • @*vbketsch.de*
  • @*vblehrte.genonord.de*
  • @*vbsauerland.de*
  • @*vbstadthagen.genonord.de*
  • @*vbu.wgv.de*
  • @*vbvorsfelde.de*
  • @*voba-bensheim.de*
  • @*voba-bes-boe.de*
  • @*voba-brv.de*
  • @*voba-gg.de*
  • @*voba-guenzburg.de*
  • @*voba-karlsruhe.de*
  • @*voba-main-taunus.de*
  • @*voba-mm.de*
  • @*voba-ober-moerlen.de*
  • @*voba-ro.de*
  • @*vobaloe.de*
  • @*vol.cz*
  • @*vol.it*
  • @*vub.sk*
  • @*w1.ru*
  • @*wachovia*
  • @*wamu*
  • @*wasa.se*
  • @*wbk.com.pl*
  • @*web.tin.it*
  • @*webnet.ie*
  • @*webzonecom*
  • @*wellsfargo*
  • @*westpac.com.au*
  • @*widebayaust.com.au*
  • @*wisedb.co*
  • @*wohnbausparen*
  • @*wpf.at*
  • @*wuestenrot.de*
  • @*www.bgnetplus.com/niloinet/login.jsp*
  • @*www.gu.net*
  • @*www.robinsfcu.org/index-s2l.asp*
  • @*www.wp.com*
  • @*ykb.com*
  • @http://*.e-port.*
  • @http://*.osmp.*
  • @http://*pecunix.com*
  • @http://*westpac.com.au*
  • @http://agent.e-port.ru/*
  • @http://atl.osmp.ru/
  • @http://atl.osmp.ru/index.php?login=error&mess=
  • @http://capitalcity.combats.ru/enter.pl/
  • @http://login.osmp.ru/
  • @http://login.osmp.ru/*
  • @http://osmp.ru/
  • @http://portal.osmp.ru/
  • @http://www.alfabank.ru/*
  • @http://www.amgbank.com/*
  • @http://www.bankmelb.com.au/*
  • @http://www.btal.com.au/*
  • @http://www.chebanca.it/wps/portal/Istituzionale/login
  • @http://www.hsbcgroup.com/*
  • @http://www.hsbcib.com/*
  • @http://www.lloydsbank.co.uk/*
  • @http://www.metway.com.au/*
  • @http://www.midlandbank.co.uk/*
  • @http://www.nationwide.co.uk/*
  • @http://www.natwest.co.uk/*
  • @http://www.sbank.ru/*
  • @https://*.365online.co.uk/*
  • @https://*.365online.com/*
  • @https://*.bancoexterior.com/*
  • @https://*.banesconline.com/*
  • @https://*.banking.first-direct.com/*
  • @https://*.barclays.co.uk/*
  • @https://*.cambiossol.com/*
  • @https://*.clavenet.net/*
  • @https://*.denizbank.com/*
  • @https://*.e-gold.com/*
  • @https://*.e-port.*
  • @https://*.isbank.com.tr/Internet/index.aspx?*
  • @https://*.kutxa.net/*
  • @https://*.osmp.*
  • @https://*banesconline.com/*ImagenesInHouse*
  • @https://*bankdirect.co.nz*
  • @https://*bankofengland.co.uk/*
  • @https://*bankofscotland.co.uk/*
  • @https://*barclays.co.uk/*
  • @https://*bnz.co.nz/*
  • @https://*citizensbankonline.com/*
  • @https://*finansbank.com*
  • @https://*nationalcity.com/*
  • @https://*pekao24.pl/cgi-bin*
  • @https://*uralsib.ru/*
  • @https://*us.hsbc.com*
  • @https://*usaa.com/*
  • @https://*usbank.com/*
  • @https://*westpac.com*
  • @https://*westpac.com.au/esis/Login/SrvPage*
  • @https://acikdeniz.denizbank.com/CustomLogin/*
  • @https://agent.e-port.ru/*
  • @https://agent.e-port.ru/cp/lkan/addpoint.cp
  • @https://agent.e-port.ru/cp/lkan/lka.cp*
  • @https://agent.e-port.ru/cp/lkan/pcertnew.cp
  • @https://atl.osmp.ru/
  • @https://atl.osmp.ru/index.php?login=error&mess=
  • @https://bankasya.com.tr/pls/asya/*
  • @https://brokerjet.ecetra.com/*
  • @https://caixasabadell.net/*
  • @https://carnet.cajarioja.es/banca3/*
  • @https://cib.icicibank.co.uk/*
  • @https://citibusinessonline.da-us.citibank.com/*/busSignOn.do
  • @https://client-bank.privatbank.ua/
  • @https://cuviewpoint.net/mvptartan/login.asp*
  • @https://daib.dataaction.com.au*
  • @https://daib.dataaction.com.au/DAIB/Banking_index.asp?Header_Num=23
  • @https://digi.parex.lv
  • @https://ebank.adcu.com.au/mvp352/Login.asp
  • @https://ebank.adcu.com.au/mvp352/Login.asp*
  • @https://ebranch.easystreet.com.au/mvpescu/Login.asp
  • @https://factor2.inetbank.net.au*
  • @https://factor2b.inetbank.net.au/factor2da3/factor2login.jsp
  • @https://falcon.binbank.ru//*
  • @https://hercules.halkbank.com.tr/Turkce/CertRequest/*
  • @https://https://netteller2.tsw.com.au/803205/ntv4.asp?wci=entr
  • @https://ib.gatewaycu.com.au/daib/banking_index.asp?Header_Num=254
  • @https://ibank.barclays.co.uk/*
  • @https://ibank.barclays.co.uk/olb*
  • @https://ibank.barclays.co.uk/olb/g/LoginMember.do*
  • @https://ibank.bluestone.com.au/login.aspx*
  • @https://ibank.cahoot.com/*
  • @https://ibank.humebuild.com.au/login.asp
  • @https://ibank.mmbank.ru/*
  • @https://ibank.spb.absolutbank.ru/client_su.html
  • @https://ibanka.seb.lv/ipc/ibanka.jsp
  • @https://inetbnkp.adelaidebank.com.au/*
  • @https://ingdirect.com.au/*
  • @https://intelvia.cajamurcia.es/cgi-bin/INclient_2043
  • @https://internet724.vakifbank.com.tr/vb99/*
  • @https://internetsube.akbank.com.tr/*
  • @https://internetsube.yapikredi.com.tr/myapp/changeLocale.do*
  • @https://is2.cuviewpoint.net/mvpcomtax/Login.asp
  • @https://lo2.lacaixa.es/*
  • @https://login.osmp.ru/
  • @https://logitelnet.socgen.com/*
  • @https://mobile.alfabank.ru/
  • @https://moja.tatrabanka.sk/cgi-bin/ibanking/app/verify.jsp?*
  • @https://olb2.nationet.com/*
  • @https://olb2.nationet.com/signon/SinglePageSignon_wp1.asp*
  • @https://portal.osmp.ru/
  • @https://portal.osmp.ru/dealer/person.php
  • @https://portal.osmp.ru/dealer/person_s.php
  • @https://portal.osmp.ru/dealer/term.php
  • @https://portal.osmp.ru/dealer/term_s.php
  • @https://portal.osmp.ru/dealer/terminal.php
  • @https://portal.osmp.ru/dealer/terminal_s.php
  • @https://privat24.pbank.com.ua/
  • @https://secure.accu.com.au*
  • @https://secure.ingdirect.com/*
  • @https://secure.ingdirect.com/myaccount/INGDirect.html?command=displayCustomerAuthenticate*
  • @https://secure.islandstate.com*
  • @https://secure.mystate.com.au*
  • @https://secure.mystate.com.au/*
  • @https://ssl.bsk.com.pl/bskonl/login.ac
  • @https://ticari.yapikredi.com.tr/ifcapp/*
  • @https://webbanker.cua.com.au*
  • @https://welcome*.co-operativebank.co.uk/*
  • @https://welcome*.smile.co.uk/*
  • @https://www.abbeyinternational.com/step2_login.asp?hidFunction=forward
  • @https://www.abbeyinternational.com/step2_login.asp?hidFunction=forward*
  • @https://www.abbeynational.co.uk/*
  • @https://www.ardil.bancogallego.es/servlet/*
  • @https://www.asbbank.co.nz/*
  • @https://www.bankofamerica.com/*
  • @https://www.bankofscotlandhalifax-online.co.uk*
  • @https://www.bpmbanking.it/pri/wbOnetoone/LoginPin2.do?*/*
  • @https://www.britannia.co.uk/*
  • @https://www.caterallenonline.co.uk/*
  • @https://www.caterallenonline.co.uk/WebAccess.dll
  • @https://www.ccm.es/activa24/*
  • @https://www.ccm.es/cgi-bin/INclient_6105
  • @https://www.citibank.com.au*
  • @https://www.clavenet.net/cgi-bin/*
  • @https://www.cpsinternetbanking.com.au*
  • @https://www.cpsinternetbanking.com.au/DAIB/Banking_index.asp?Header_Num=3
  • @https://www.dataaction.com.au*
  • @https://www.dataaction.com.au/DAIB/Banking_index.asp?Header_Num=123
  • @https://www.dataaction.com.au/DAIB/Banking_index.asp?Header_Num=163
  • @https://www.e-gold.com/acct/login.html
  • @https://www.golden1.com/secure/auth/*
  • @https://www.halifax-online.co.uk/*
  • @https://www.halifax.co.uk/*
  • @https://www.hsbc.co.uk/1/2/*
  • @https://www.icicibank.co.uk/*
  • @https://www.ingdirect.com.au/client/Login.aspx
  • @https://www.ingdirect.com.au/client/index.aspx*
  • @https://www.ingdirect.es/WebTransactional/Transactional/*
  • @https://www.labanquepostale.fr/*
  • @https://www.libertyreserve.com*
  • @https://www.libertyreserve.com/en/customer/login2/index.aspx*
  • @https://www.millenet.pl/osobiste/Default.gz?*
  • @https://www.millenniumbcp.pt/secure/pt/90/9021*
  • @https://www.netteller.com.au/*/ntv4.asp?WCI=bpayV2post&typ=BPDE
  • @https://www.offshorebanking.barclays.com/*
  • @https://www.pekao24.pl/cgi-bin/webprd.dll/MCP/server/PINVerification.jsp
  • @https://www.secure.bnpparibas.net/banque/portail/particulier/HomeConnexion*
  • @https://www.ulsterbankanytimebanking.co.uk/*
  • @https://www1.ibercajadirecto.com/ibercaja/asp/Login.asp
  • @https://www1.membersequitybank.com.au*
  • http*://*.anb.com/*
  • http://*/cPanel
  • http://*:2082/
  • http://*:2083/
  • http://*:2086/
  • http://*:2087/
  • http://*:2222/
  • http://7search.com/*
  • http://addmoney.ru/*
  • http://admin*
  • http://adv.vz.ru/
  • http://adwords.google.com/*
  • http://agent.osmp.ru/*
  • http://alfabank.ru/
  • http://ansmep.kiev.ua/*
  • http://appex.ru/*
  • http://aromamaslo.ru/*
  • http://assist.ru/*
  • http://bestcredits.ru/*
  • http://betcity.ru/*
  • http://byro.ru/*
  • http://click.alfabank/*
  • http://clickcashmoney.com/*
  • http://credcard.ru/*
  • http://cyberpay.biz/*
  • http://cyberplat.ru/*
  • http://deltakey.ru/*
  • http://digiseller.ru/*
  • http://direct.yandex.ru/*
  • http://e-port.ru/*
  • http://e-pos.ru/*
  • http://egold.com/*
  • http://elecpay.ru/*
  • http://elecsnet.ru/*
  • http://emoney.al.ru/*
  • http://emoney.kg/*
  • http://empay.ru/*
  • http://express-systems.ru/*
  • http://freecash.ru/*
  • http://ganjawars.ru/
  • http://imoney.com.ua/*
  • http://k-pay.ru/*
  • http://kbbmb.ru/*
  • http://kioskpay/*
  • http://kreditpilot.com/*
  • http://mb.izvestia.ru/
  • http://mcbank.ru/*
  • http://mediarotator.ru/
  • http://members.rotabanner.utro.ru
  • http://members.rotabanner100.utro.ru/
  • http://members.txt.utro.ru/
  • http://meradom.ru/*
  • http://mobw.ru/*
  • http://moneta.ru/*
  • http://money.mail.ru
  • http://money.mail.ru/*
  • http://money.yandex.ru/
  • http://moneybookers.com/*
  • http://mplategi.ru/*
  • http://multi-kassa.ru/*
  • http://osmp.ru/*
  • http://parimatch.com/*
  • http://partner.grandcasino.ru/
  • http://pay-sys.com/*
  • http://paycash.ru/*
  • http://payment.epos.ru/*
  • http://paymentsystems.ru/*
  • http://paymer.com/*
  • http://peakclick.com/*
  • http://pegaspay.ru/*
  • http://platix.ru/*
  • http://postipankki.co.uk/*
  • http://quickpay.ru/*
  • http://rapida.ru/*
  • http://richclick.ru/*
  • http://rips-ufa.net/*
  • http://rotabanner.izvestia.ru/
  • http://rupay.com/*
  • http://ruspay.ru/*
  • http://sbank.ru/default.asp?693*
  • http://skype.com
  • http://sms4pay.net/*
  • http://soccerlife.ru
  • http://transpay.ru/*
  • http://ukrmoney.com.ua/*
  • http://ukrmoney.com/*
  • http://unikassa.ru/*
  • http://vmoney.ru/*
  • http://vtb24.ru/*
  • http://westernunion.ru/*
  • http://www.advance.com.au*
  • http://www.bblfm.com.au/*
  • http://www.bcs.ru/
  • http://www.careermosaic.com/*
  • http://www.chebanca.it/wps/portal/Istituzionale/login
  • http://www.cyphermint.com/*
  • http://www.e-port.ru/*
  • http://www.e-port.ru/cardshop/momentalno.cp/*
  • http://www.gamebookers.com/
  • http://www.idealer.ru/*
  • http://www.lombard.co.uk/*
  • http://www.mhbs.co.uk/*
  • http://www.national.com.au*
  • http://www.northern-bank.co.uk/*
  • http://www.nrock.co.uk/*
  • http://www.ntps.ru/*
  • http://www.rbos.co.uk/*
  • http://www.sbil.co.uk/*
  • http://www.stanchart.com*
  • http://www.tsb.co.uk/*
  • http://www.woolwich.co.uk/woolwich/*
  • http://x-pay.ru/*
  • http://xpay.ru/*
  • http://xplat.ru/*
  • http://yandex.ru/
  • http://zpay.ru/*
  • https://*.banking.first-direct.com/*
  • https://adcenter.microsoft.com*
  • https://adwords.google.com/*
  • https://adwords.google.com/select/Login/*
  • https://banking.*.de/cgi/*
  • https://banking.*.de/cgi/ueberweisung.cgi/*
  • https://banking.postbank.de/app/*
  • https://banking.sparda.de/wps/sparda-net-banking.jsp?blz*
  • https://be.cajasegovia.es/*
  • https://brokerage.comdirect.de/servlet/*TAN*
  • https://cipehb*.cdg.citibank.de/HomeBanking*?_D=WorkArea&*
  • https://click.alfabank.ru/ALFAIBSR/ControllerServlet*
  • https://dealer.pegaspay.ru/*
  • https://dealer.x-plat.ru/
  • https://finanzportal.fiducia.de/*?rzid=*&rzbk=*
  • https://finanzportal.fiducia.de/ebanking*Action=*
  • https://finanzportal.fiducia.de/ebbg2/portal?token=*
  • https://internetbanking.gad.de/*/portal?bankid=*
  • https://internetbanking.gad.de/banking/*
  • https://light.webmoney.ru/default.aspx
  • https://login.marketingsolutions.yahoo.com/*
  • https://login.yahoo.com/
  • https://mkn.co.uk/bank*
  • https://mobilbank.ru/*
  • https://money.yandex.ru/*
  • https://online.sbank.ru/Login.shtm?RC=5*
  • https://online.wellsfargo.com/das/cgi-bin/session.cgi*
  • https://online.wellsfargo.com/login*
  • https://online.wellsfargo.com/signon*
  • https://onlinebanking.norisbank.de/norisbank/*.do?method=*
  • https://rbkmoney.ru
  • https://rbkmoney.ru/*
  • https://rupay.com/login.php
  • https://sauth.yandex.ru/*
  • https://sauth.yandex.ru/passport?mode=sauth&from=money
  • https://secure.partyaccount.com/poker/index.htm
  • https://secure.skype.com/*
  • https://secure.skype.com/store/member/login.html
  • https://sp-money.yandex.ru/*
  • https://webbanker.cua.com.au/*
  • https://www.alertpay.com/index.aspx*
  • https://www.birmingham-midshires.co.uk/bmbs/*
  • https://www.bradford-bingley.co.uk/bbbs/*
  • https://www.bristol-west.co.uk/*
  • https://www.cheltglos.co.uk/*
  • https://www.co-operativebank.co.uk/*
  • https://www.derbyshire.org/clay-cross/*
  • https://www.dresdner-privat.de/servlet/*
  • https://www.e-gold.com/acct/balance.asp*
  • https://www.e-port.ru/card/receipt.cp/*
  • https://www.ebrd.com/*
  • https://www.epassporte.com/
  • https://www.epay.bg
  • https://www.ftbni.com/*
  • https://www.google.com/accounts/
  • https://www.gruposantander.es/bog/sbi*?ptns=acceso*
  • https://www.hdb.co.uk/*
  • https://www.ib.boq.com.au/*
  • https://www.klikvip.com/members/*
  • https://www.moneybookers.com/app/login.pl
  • https://www.moneybookers.com/app/login.pl*
  • https://www.moneymail.ru/
  • https://www.moneymail.ru/*
  • https://www.paypal.com/*/webscr?cmd=_account
  • https://www.paypal.com/*/webscr?cmd=_login-done*
  • https://www.sp-money.yandex.ru/*
  • https://www.umaxlogin.com/*
  • https://www.vr-networld-ebanking.de/ebanking*Action=*
  • https://www.vr-networld-ebanking.de/index.php?RZKZ=*&RZBK=*
  • https://www.vtb24.ru/my/password*
  • https://www.wellsfargo.com/*
  • https://www.yandex.ru/*

Note that the contents of the file, hence the list of Web sites to monitor, may change any time. Once users access any of the monitored sites, this Trojan starts logging keystrokes.

Attacked Entities

This Trojan attempts to retrieve information from the following list of banking institutions:

  • AIB
  • ANZ
  • Akbank
  • Alertpay
  • Alfabank
  • Alliance & Leicester
  • BBVA
  • BG Net Plus
  • Banca Intesa
  • Bancaja
  • Banco Herrero
  • Banco Pastor
  • Banco Popular
  • Banesto
  • Banif
  • Bank of America
  • Bank of the West
  • Barclays
  • BrokerCreditService
  • Brokerjet
  • CCM
  • Caixa Girona
  • Caixa Laietana
  • Caixa Ontinyent
  • Caixa Sabadell
  • Caixa Tarragona
  • Caja Badajoz
  • Caja Canarias
  • Caja Circulo
  • Caja Granada
  • Caja Laboral
  • Caja Madrid
  • Caja Murcia
  • Caja Vital
  • Caja de Avila
  • Caja de Jaen
  • Cajarioja
  • Cajasol
  • Capital One
  • Chase
  • Cheltenham and Gloucester
  • Citibank
  • Citizens
  • Citizens Bank
  • Clavenet
  • Clydesdale
  • Co-Operativebank
  • Colonial Bank
  • Comdirect
  • DAB
  • Dresdner
  • E-Bullion
  • E-Gold
  • E-Port
  • ETrade
  • Ebay
  • Fibanc Mediolanum
  • Fiducia
  • Fifth Third
  • First Bank
  • First Direct
  • GAD
  • Grupo Financiero Banamex-Accival
  • Gruppo Carige
  • HSBC
  • Halifax
  • IS Bank
  • IW Bank
  • Iside
  • KioskPay
  • Kredit Pilot
  • Kutxanet
  • Liberty Reserve
  • Lloyds
  • M&T Bank
  • Microsoft
  • Mobil Bank
  • Moneta
  • Money Mail
  • MoneyMail
  • Moneybookers
  • Moskva City Bank
  • Myspace
  • NDB
  • National City
  • Nationwide
  • Natwest
  • OSPM
  • Odnoklassniki
  • Openbank
  • PNC
  • PayPal
  • Paymer
  • PosteItaliane
  • Procredit
  • Qui UBI
  • RBC
  • RBS
  • Raiffeisen
  • Rupay
  • SEB
  • Sabadell Atlantico
  • Santander
  • Scrigno
  • Secservizi
  • Smile
  • Suntrust
  • TD Canada Trust
  • TransPay
  • US Bank
  • USAA
  • Unicaja
  • Unikassa
  • Union Bank of California
  • Uno-E
  • VTB24
  • Vanguard
  • Vkontakte
  • Volksbanken Raiffeisenbanken
  • Wachovia
  • Washington Mutual
  • Webmoney Keeper Light
  • Wells Fargo
  • Western Union
  • Yandex
  • Yorkshire
  • iDealer
  • iMoney

Note that the list may change anytime.

Stolen Information

This Trojan attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the users account information, which may then lead to the unauthorized use of the stolen data.

Drop Points

The stolen information is saved in the file %System%\twain_32\user.ds. The said file is then sent to the server http://{BLOCKED}.{BLOCKED}.32.20/~parti3an/qvadro/s.php via HTTP post.

Download Routine

The Trojan accesses the following site to download its configuration file:

  • http://{BLOCKED}.{BLOCKED}.32.20/~parti3an/qvadro/cfg.bin

Backdoor Channel

During testing, this Trojan did not exhibit backdoor routines.

Other Details

This Trojan creates the following mutex to ensure that only one instance of itself is running in memory:

  • __SYSTEM__7F4523E5__
  • __SYSTEM__64AD0625__

It checks for the presence of the following processes which are related to Outpost Personal Firewall and ZoneLabs Firewall Client:

  • outpost.exe
  • zlclient.exe

It terminates if either of the said processes exist. This is to ensure that it runs uninterrupted. It also has rootkit capabilities, which enables it to hide its processes and files from the user.

Variant Information

This Trojan has the following SHA1 hash:

  • 8867e51fc4655b43b8e51b1294256e8ac531e652

This Trojan has the following MD5 hash:

  • a2018ad0f2d2680004940e2da6f2b55d

Affected Platforms

It runs on Windows 2000, NT, XP, and Server 2003.

Analysis By: Sabrina Sioting

Revision History:

First pattern file version: 6.210.09
First pattern file release date: Jun 20, 2009

Solution

Minimum scan engine version needed: 8.700

Pattern file needed: 6.212.01

Pattern release date: Jun 21, 2009


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Identifying the Malware Files

  1. Scan your computer with your Trend Micro antivirus product.
  2. Note the path and file name of all files detected as TROJ_ZBOT.BZU.

Trend Micro customers need to download the latest virus pattern file before scanning their computer. Other users can use Housecall, the Trend Micro online threat scanner.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Deleting Malware Files using Recovery Console
On Windows NT, 2000, XP, and Server 2003 systems

This procedure allows the computer to restart by using the Windows installation CD.

  1. Insert your Windows Installation CD in your CD-rom.
  2. Press the restart button of your computer.
  3. When prompted, press any key to boot from the CD.
  4. When prompted on the Main Menu, type r to enter the recovery console.
    (Note: On Windows 2000, after pressing r, type c to choose the Recovery Console in the repair options screen.)
  5. When prompted, type your administrator password to log on.
  6. Once logged in, type the drive that contains Windows in the command prompt that appears, then press Enter.
  7. Type the drive that contains Windows, then press Enter.
  8. Type the following, then press Enter:
    del {Malware path and file name}
  9. Repeat the above procedure for all files detected earlier.
  10. Type exit to restart the system.

Removing Autostart Entries from the Registry

This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Windows NT>
    CurrentVersion>Winlogon
  3. In the right panel, locate the entry:
    Userinit = "%System\Userinit.exe,%System%\twext.exe,"
    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.)
  4. Right-click on the value name and choose Modify. Change the value data of this entry to:
    %System%\userinit.exe

Removing Other Malware Entries from the Registry

  1. Still in Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
    CurrentVersion>Network
  2. In the right panel, locate and delete the entry:
    UID = "(Computer name}_{Random numbers}"
  3. Close Registry Editor.

Deleting the Malware Folder(s)

  1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
  2. In the Named input box, type:
    %System%\twain_32
  3. In the Look In drop-down list, select My Computer, then press Enter.
  4. Once located, select the folder then press SHIFT+DELETE.

Running Trend Micro Antivirus

Scan your computer with Trend Micro antivirus and delete files detected as TROJ_ZBOT.BZU. To do this, Trend Micro customers must download the latest virus pattern file and scan their computers. Other Internet users can use HouseCall, the Trend Micro online threat scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.


Connect with us on