Home / malwarePDF  

TrojanSpy:Win32/Bancos.BK


First posted on 04 February 2009.
Source: SecurityHome

Aliases :

TrojanSpy:Win32/Bancos.BK is also known as Also Known As:Trojan.Banker.LAR (BitDefender), Trojan-Banker.Win32.Banker.abpc (Kaspersky), W32/Smalltroj.IELI (Norman), Mal/EncPk-CU (Sophos), Packed.Generic.56 (Symantec), Packed/XPack (VirusBuster).

Explanation :

TrojanSpy:Win32/Bancos.BK is a trojan that captures logon credentials to online banking Web sites for banks located in Brazil and may connect to a remote Web site using TCP port 1433.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following registry values and data:
    Value: "Gbp Service"
    In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun

    Value: "Embedded Web Browser from: http://bsalsa.com/"
  • In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsUser AgentPost Platform Value: "NetworkAddress"Wth data: "00 4D AA 07 A4 C4"In subkey: HKLMSOFTWAREDescriptionMicrosoftRpcUuidTemporaryData

    TrojanSpy:Win32/Bancos.BK is a trojan that captures logon credentials to online banking Web sites for banks located in Brazil and may connect to a remote Web site using TCP port 1433.

    Installation
    The trojan may be installed by other potentially unwanted software or by a malicious Web site. When run, this trojan modifies the registry to execute the trojan at each Windows startup. Adds value: "Gbp Service" or "ashservecie"With data: "<path and filename of Win32/Bancos.BK>"To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun The trojan may be present as a file named "GbpSv.exe".

    Payload
    Modifies System SettingsThe trojan modifies the registry with the following data: Adds value: "Embedded Web Browser from: http://bsalsa.com/"With data: "0"To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsUser AgentPost Platform Adds value: "NetworkAddress"Wth data: "00 4D AA 07 A4 C4"To subkey: HKLMSOFTWAREDescriptionMicrosoftRpcUuidTemporaryData Captures Logon CredentialsThis trojan captures logon credentials when a user logs into an online banking site with certain domain names for banks located in Brazil. Connects With Remote ServerWin32/Bancos.BK attempts to connect to a remote Web site with the IP address 201.76.55.11 using TCP 1433.

    Analysis by Subratam Biswas

    Last update 04 February 2009

     

    TOP