Home / malwarePDF  

TrojanSpy:Win32/Bancos.gen!A


First posted on 09 February 2009.
Source: SecurityHome

Aliases :

TrojanSpy:Win32/Bancos.gen!A is also known as Also Known As:Win-Trojan/Bancos.479720 (AhnLab), Win32/Bancos.IVV (CA), Trojan-Spy.Win32.Bancos.apq (Kaspersky), Spy-Agent.cj.gen.h (McAfee), W32/Banker.CDRQ (Norman), Mal/Emogen-T (Sophos), Trojan.Banker.Delf (Sunbelt Software), Infostealer.Bancos (Symantec), TSPY_BANKER.YY (Trend Micro).

Explanation :

TrojanSpy:Win32/Bancos.gen!A is a password stealing trojan, that targets specific online banking web sites. Captured credentials may be sent via SMTP e-mail to a specified e-mail address.

Symptoms
System ChangesThe following system changes may indicate the presence of Trojan:Win32/Bancos.gen!A:

  • Presence of the file <system folder>explori.exe
  • Presence of this registry value and data:
    Adds value: "explorer"
    With data: "<system folder>explori.exe"
    To subkey: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun


    • TrojanSpy:Win32/Bancos.gen!A is a password stealing trojan, that targets specific online banking web sites. Captured credentials may be sent via SMTP e-mail to a specified e-mail address.

    Installation
    This trojan may be installed by a dropper or other malicious software, and may be present as the file '<system folder>explori.exe'. The registry is modified to execute the trojan copy at each Windows start.Adds value: "explorer"With data: "<system folder>explori.exe"To subkey: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

    Payload
    Steals Sensitive DataWin32/Bancos.gen!A may monitor web pages visited by the affected user and capture logon credentials for specific online financial sites such as the following:
  • bradesco.com.br
  • bb.com.br
  • bancobrasil.com.br
  • nossacaixa.com.br
    • Modifies System Security SettingsWin32/Bancos.gen!A may lower Windows security by adding extensions of "high-risk" file types to the "low-risk" category via the registry. For more information about high-risk and low-risk file types, view this Microsoft Help & Support article, KB883260. Modifies value: "LowRiskFileTypes" With data: ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;
    .jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;"In subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAssociations

    Analysis by Andrei Florin Saygo

    Last update 09 February 2009

     

    TOP

    Malware :

    Family: