Home / malware TrojanSpy:Win32/Bancos.RA
First posted on 12 January 2010.
Source: SecurityHomeAliases :
TrojanSpy:Win32/Bancos.RA is also known as Trojan-Banker.Win32.Delf.aj (Kaspersky), W32/Banker.FAQK (Norman), TR/Spy.Banker.217088.4 (Avira), Trojan.Spy.Banker.ACDO (BitDefender), Win32/Spy.Banbra.NWZ (ESET), TROJ_BANKER.MSZ (Trend Micro).
Explanation :
TrojanSpy:Win32/Bancos.RA is a trojan that monitors the system to check if the user visits an online banking Web site and attempts to steal sensitive information. If this occurs, the trojan then sends information from the site to a remote attacker via e-mail. It also attempts to download a file via FTP from a certain IP address.
Top
TrojanSpy:Win32/Bancos.RA is a trojan that monitors the system to check if the user visits an online banking Web site and attempts to steal sensitive information. If this occurs, the trojan then sends information from the site to a remote attacker via e-mail. It also attempts to download a file via FTP from a certain IP address. InstallationUpon execution, TrojanSpy:Win32/Bancos.RA displays a fake online banking-related progress screen:
It also contacts the Web site "novossim.com" to report successful infection of the system. Payload Steals sensitive informationTrojanSpy:Win32/Bancos.RA monitors the system to check if the user visits the banking Web site "bb.com.br". It sends sensitive information from the site via e-mail to an address hosted by "novossim.com". Downloads and executes arbitrary filesTrojanSpy:Win32/Bancos.RA attempts to connect to the IP address "69.162.84.133" to download a file via FTP as "c:\windows\csrss.exe". It also attempts to execute this file. At the time of this writing, the IP address is unavailable. Note that the file name "csrss.exe" is also used by a legitimate Windows file, and is located by default in the Windows system folder.
Analysis by Matt McCormackLast update 12 January 2010
