Alert level

Win32/Bancos


Encyclopedia entry
Updated: Feb 19, 2009  |  Published: Aug 23, 2006

Aliases
Not available

Alert Level (?)
High

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.

Summary

Win32/Bancos is a family of data-stealing Trojans that captures users' online banking credentials such as account login names and passwords. These Trojans send the captured information to the attacker by e-mail, or by uploading to an attacker's FTP site or posting to an attacker's Web site. The Win32/Bancos Trojans are written in Visual Basic and the majority target customers of Brazilian banks.

Top

Technical Information (Analysis)

Win32/Bancos is a family of data-stealing Trojans that captures online banking credentials, such as account login names and passwords, then relays the captured information to the attacker. Most Win32/Bancos variants target customers of Brazilian banks, though some variants target customers of banks in other locations.
 
Many Win32/Bancos Trojans monitor open Web-browser windows looking for bank names in the title bar or bank URLs in the address bar. The Trojans may also log keystrokes to record credentials that a user enters at banking Web sites. To assist in capturing banking credentials, Win32/Bancos may also replace or supplement legitimate bank Web pages with fake Web pages disguised to look like the original. A sample of the fake Web page is as follows:
 
 
The above text roughly translates to:
 
Dear customer,
 
A new fix for the registration of computers fixes a critical level of the client identification system that can cause data loss and access problems.
 
The update is simple and fast, just click the link below and then click Save and run immediately after, wait a few seconds and then follow the installation instructions,
 
http://<malware domain>/cadastramento_de_computadores .exe
 
If the link above does not work, click here to download.
 
Attention: All users must register and update the registration of computers. If the correction fails, your computer will be blocked and unlock can only be carried out in agencies of the box.
 
If you have questions, call the help desk box <telephone number>
 
Win32/Bancos Trojans send the captured banking credentials to the attacker by e-mail, or uploading to an attacker's FTP site, or posting the stolen credentials to a web site.
 
A Win32/Bancos Trojan may copy itself to various folders on the infected computer, such as the %windir% or <system folder>, and also drop other files there. The Trojan executable file name may contain the string 'cartao', which is Portuguese for the English word 'card'. A Win32/Bancos Trojan may also configure itself to run automatically each time Windows starts, for example by creating entries in registry keys such as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Some Win32/Bancos Trojans may also try to disable security-related software such as antivirus and firewall software.

Top

Prevention

Take the following steps to help prevent infection on your system:
  • Enable a firewall on your computer.
  • Get the latest computer updates.
  • Use up-to-date antivirus software.
  • Use caution with attachments and file transfers.

Enable a firewall on your computer

Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
  1. Click Start, and click Control Panel.
  2. Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
  3. Click Change Windows Firewall Settings.
  4. Select On.
  5. Click OK.

Get the latest computer updates

Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to download future Microsoft security updates automatically while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
  1. Click Start, and click Control Panel
  2. Click System.
  3. Click Automatic Updates.
  4. Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.

Use up-to-date antivirus software

Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx

Use caution with attachments and file transfers

Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources.  Use extreme caution when accepting file transfers from known or unknown sources.

Top