Home / malwarePDF  

TrojanSpy:Win32/Bancos.AEV


First posted on 30 December 2011.
Source: Microsoft

Aliases :

TrojanSpy:Win32/Bancos.AEV is also known as Trojan.PWS.Banker.61210 (Dr.Web), Trojan-Banker.Win32.Banbra.amdu (Kaspersky), Mal/Bancos-Q (Sophos).

Explanation :

TrojanSpy:Win32/Bancos.AEV is a trojan that monitors and captures logon credentials for certain social networking websites and an online banking website. The stolen credentials are sent to an email adress for collection by an attacker.


Top

TrojanSpy:Win32/Bancos.AEV is a trojan that monitors and captures logon credentials for certain social networking websites and an online banking website. The stolen credentials are sent to an email adress for collection by an attacker.



Installation

TrojanSpy:Win32/Bancos.AEV is installed by other malware, such as TrojanDropper:Win32/Bancos.J and may be present as a .DLL as in the following example:

  • C:\MessengerPlus\GoogleToolbar_32.dll


The registry is modified to run Bancos.AEV as a BHO so it executes when the web browser is launched.



Payload

Steals logon credentials
TrojanSpy:Win32/Bancos.AEV monitors for web browser access to the following online banking website logon form:

  • https://bankline.itau.com.br/lgnet/itauf/bankline.htm


When logon details are entered, the information is stolen by the trojan. The trojan captures other information including the computer logon account user name, password and MAC address. The collected information is sent to an email address for collection by an attacker.

The trojan also attempts to monitor logon information entered for the following social networking websites and send the captured data via email as well:

  • Facebook
  • Twitter
  • Orkut




Analysis by Francis Allan Tan Seng

Last update 30 December 2011

 

TOP