Home / malwarePDF  

TrojanSpy:Win32/Bancos.MV


First posted on 12 June 2009.
Source: SecurityHome

Aliases :

TrojanSpy:Win32/Bancos.MV is also known as Also Known As:Trojan.Banker.LEM (BitDefender), Win32/Spy.Bancos.NLR (ESET), PWS-Banker!l (McAfee).

Explanation :

TrojanSpy:Win32/Bancos.MV is a password stealing trojan that installs itself as a BHO (Browser Helper Object). It sends its stolen data to predefined e-mail addresses. It may also attempt to connect to certain IP addresses to download other files, which may be malware.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    drvsvc.exe
    Setup.exe
    usrsvc.exe
    wmiprevse.exe
  • The presence of the following registry entries:
    Added value: "Serviço de Drivers"
    With data: "%WINDOWS%drvsvc.exe"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun

    Added value: "wmiprevse"
    With data: "%WINDOWS%wmiprevse.exe"
    To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
  • The presence of the following registry subkeys:
    HKCRCLSID{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}
    HKCRCLSID{EF9A4BA9-B071-4203-8E76-EB12C5547B41}
    HKCRInterface{992756F9-2AE8-4E13-898B-0FD562184690}
    HKCRInterface{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}
    HKCRInterface{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}
    HKCRNTService.Control.1
    HKCRTypeLib{D87F4475-BFC7-4FA4-9E65-77F4D6D60D2A}
    HKCRTypeLib{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}
    HKCRYahoo.Toolbar
    HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{EF9A4BA9-B071-4203-8E76-EB12C5547B41}


  • TrojanSpy:Win32/Bancos.MV is a password stealing trojan that installs itself as a BHO (Browser Helper Object). It sends its stolen data to predefined e-mail addresses. It may also attempt to connect to certain IP addresses to download other files, which may be malware.

    Installation
    Upon execution, TrojanSpy:Win32/Bancos.MV creates the following hidden files, which are also detected as TrojanSpy:Win32/Bancos.MV, in the Windows folder:
  • drvsvc.exe
  • Setup.exe
  • usrsvc.exe
  • wmiprevse.exe
  • It also creates the following files in the Windows system folder:
  • msado20.tlb
  • MSNMessengerAPI.tlb
  • NTsvc.ocx
  • shdocwv.dll
  • The first three files are legitimate, while the last is detected as TrojanSpy:Win32/Bancos.MV. To ensure that only one instance of the main TrojanSpy:Win32/Bancos.MV is running, it creates the mutex 'MSIdent Logon'. To ensure that it runs every time Windows tarts, it creates the following registry entries: Adds value: "Serviço de Drivers"
    With data: "%WINDOWS%drvsvc.exe"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Adds value: "wmiprevse"
    With data: "%WINDOWS%wmiprevse.exe"
    To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun It also creates the following keys to register its dropped files: HKCRCLSID{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}
    HKCRCLSID{EF9A4BA9-B071-4203-8E76-EB12C5547B41}
    HKCRInterface{992756F9-2AE8-4E13-898B-0FD562184690}
    HKCRInterface{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}
    HKCRInterface{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}
    HKCRNTService.Control.1
    HKCRTypeLib{D87F4475-BFC7-4FA4-9E65-77F4D6D60D2A}
    HKCRTypeLib{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}
    HKCRYahoo.Toolbar It registers its dropped copy as a BHO (Browser Helper Object) by creating the following subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{EF9A4BA9-B071-4203-8E76-EB12C5547B41}

    Payload
    Downloads files
    TrojanSpy:Win32/Bancos.MV attempts to download files from remote IP addresses, including 189.126.103.82. Steals user credentials
    Acting as a BHO, TrojanSpy:Win32/Bancos.MV may attempt to steal users' credentials when they visit certain Web sites. The stolen information may then be sent to various e-mail addresses. Drops other malwareTrojanSpy:Win32/Bancos.MV also creates the following file, which is detected as TrojanSpy:WinNT/Bancos.MV: <system folder>drivers
    takrnl.sys Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. It also creates the following registry entry to allow its dropped driver to act as a service: Adds value: "DisplayName"
    With data: "NT Automation Kernel System"
    Adds value: "ImagePath"
    With data: "<system folder>drivers
    takrnl.sys"
    To subkey: HKLMSYSTEMCurrentControlSetServicesNTAKRNLAdditional InformationTrojanSpy:Win32/Bancos.MV may display a fake WinZip error when it is run.

    Analysis by Patrik Vicol

    Last update 12 June 2009

     

    TOP