Home / malwarePDF  

TrojanSpy:Win32/Bancos.VN


First posted on 12 November 2010.
Source: SecurityHome

Aliases :

TrojanSpy:Win32/Bancos.VN is also known as Trojan-Downloader.Win32.Banload.babw (Kaspersky), Trojan.DL.Banload.BNME (VirusBuster), Trojan horse Downloader.Banload.BAKU (AVG), Trojan-Downloader.Win32.Homa (Ikarus), Trj/Nabload.DSI (Panda).

Explanation :

TrojanSpy:Win32/Bancos.VN is a variant of Win32/Bancos - a family of data-stealing trojans that captures online banking credentials, such as account user names and passwords, and relays the captured information to a remote attacker.
Top

TrojanSpy:Win32/Bancos.VN is a variant of Win32/Bancos - a family of data-stealing trojans that captures online banking credentials, such as account user names and passwords, and relays the captured information to a remote attacker. Installation When run, TrojanSpy:Win32/Bancos.VN creates a folder as the following: C:\MessengerPlus It is installed as C:\MessengerPlus\wmplayer.exe,and makes the following registry modifications to ensure it executes at Windows start: In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "wmplayer" With data: "C:\MessengerPlus \wmplayer.exe" Payload Lowers security settings TrojanSpy:Win32/Bancos.VN lowers the security settings on the infected computer by making the following registry modifications: In subkey: HKCU\Software\Microsoft\Internet Explorer\Download Sets value: "CheckExeSignatures" With data: "no" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments Sets value: "SaveZoneInformation" With data: "00000001" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations Sets value: "LowRiskFileTypes" With data: ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;" Opens an Internet Explorer browser TrojanSpy:Win32/Bancos.VN opens an Internet Explorer window with the following address: hxxp://www.youtube.com/watch?v=tkFQS92d6gw Downloads and executes arbitrary files TrojanSpy:Win32/Bancos.VN opens a hidden Internet Explorer browser. It may contact a remote server to download other DLL components of TrojanSpy:Win32/Bancos.

Analysis by Wei Li

Last update 12 November 2010

 

TOP

Malware :

Family: