My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


(Trojan-Spy.Win32.Banker.hq, W32/Banker.UE, TSPY_BANKER.HQ, Troj/Banker-AT)


Presence under the Windows directory of the virus executable with the name WinAdCnt16.exe, with the size of 181760 bytes.

Removal instructions:

Please let BitDefender delete your files.

You should also remove the autorun registry entry by deleting with REGEDIT the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinAdCnt16.exe entry from the registry.

Analyzed By

SАndor LUKаCS, virus researcher

Technical Description:

The virus checks on start if it is already registered for automatical startup. If not, then creates a copy of the trojan executable and places it under the windows directory with the name WinAdCnt16.exe and the size of 181760 bytes. After this the virus creates an entry for automatical startup under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinAdCnt16.exe.

When running, the virus repetedly checks using DDE the presence of a running Internet Explorer or Netscape Navigator. If found, the virus checks for banking URLs and displays a fake web browser window trying to persuade the user to introduce confidential data.

The virus contains references to the following websites:

  • http://www.[removed]
  • http://www.[removed]
  • http://www.[removed]
  • http://www.[removed]
  • http://www.[removed]