Security home


Home / malwarePDF  


First posted on 26 June 2012.
Source: Microsoft

Aliases :

Trojan:BAT/Bancos.C is also known as TR/Startup.H (Avira).

Explanation :

Trojan:BAT/Bancos.C is a trojan that lowers security by changing settings and deleting files on your computer.


This trojan may be installed by a trojan dropper named "" or similar. When the trojan dropper is run, it drops a copy of itself as "cftmon.exe" in the temporary files folder. The dropped copy is run, where it decompresses and runs a batch script file named "ctfmon.bat", detected as Trojan:BAT/Bancos.C.


Lowers computer security

Trojan:BAT/Bancos.C lowers the security of your computer by turning off system alerts that would normally occur for the following security scenarios:

  • Antivirus is disabled
  • Firewall is disabled
  • Automatic Windows updates are disabled

The trojan disables the creation of restore points which results in limiting the usefulness of System Restore on your computer. It also turns off system notifications that alert when a program tries to make certain changes to the computer.

Trojan:BAT/Bancos.C may modify DNS settings and may make other changes that allow malicious Java applets to run.

Deletes security files

Trojan:BAT/Bancos.C attempts to delete the following files which are components of "scpVista", an anti-fraud security application developed by Banco Bradesco, a Brazilian financial services firm:

  • %windir%\system32\scpVista.exe
  • %windir%\system32\scpLIB.dll
  • %windir%\system32\scpMIB.dll
  • %windir%\system32\scpsssh2.dll
  • %ProgramFiles%\Scpad\scpLIB.dll
  • %ProgramFiles%\Scpad\scpMIB.dll
  • %ProgramFiles%\Scpad\scpsssh2.dll
  • %ProgramFiles%\Scpad\scpIBCfg.bin

The trojan also removes the following directory related to "scpVista":

  • %ProgramFiles%\scpad

Contacts a remote server

This trojan send your user name and computer name to a website named "" to report its installation.

Additional information

This trojan modifies your computer's system registry to perform the following actions:

  • Disable UAC notifications
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    Sets value: "EnableLUA"
    To data: 0
  • Start the trojan at each Windows start
    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Sets value: "Userinit"
    To data: "C:\Windows\system32\userinit.exe,%temp%\ctfmon.exe"
  • Turn off system notifications for disabled antivirus, firewall and automatic updates
    In subkey: HKLM\Software\Microsoft\Security Center
    Sets values: "AntiVirusDisableNotify", "FirewallDisableNotify" & "UpdatesDisableNotify"
    To data: 1
  • Turn off creation of system restore points
    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    Sets value: "DisableSR"
    To data: 1

Analysis by Jeong Mun

Last update 26 June 2012



Malware :