Follow:

 

TrojanProxy:JS/Banker.AC


TrojanProxy:JS/Banker.AC is a JavaScript trojan that steals your personal information, such as your logon details, from certain Brazilian banking websites.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

TrojanProxy:JS/Banker.AC attempts to steal sensitive and confidential information from affected users to perpetrate fraud. If you believe that your personal financial information may have been compromised, please refer to the following advisory for additional advice:

Threat behavior

TrojanProxy:JS/Banker.AC is a JavaScript trojan that steals your personal information, such as your logon details, from certain Brazilian banking websites.

Installation

TrojanProxy:JS/Banker.AC is dropped and installed as "%SystemDrive%\prefs.js" by other malware, such as TrojanProxy:Win32/Banker.AT.

Note: %SystemDrive% refers to a variable location that is determined by the malware by querying the operating system. The drive letter for the System Drive in Windows 2000, XP, 2003, Vista, 7, and 8 is "C:".

Payload

Steals sensitive information

TrojanProxy:JS/Banker.AC intercepts data sent between your computer and certain Brazilian banking websites. The data it intercepts and steals could be your account login details, such as your username and password, and any other information you input on the site.

We have observed TrojanProxy:JS/Banker.AC monitoring the following sites:

  • americanexpress.com.br
  • bancodobrasil.com.br
  • bancoreal.com.br
  • bancosafra.com.br
  • banese.com.br
  • banespa.com.br
  • banrisul.com.br
  • bb.com.br
  • bradesco.com.br
  • bradescoprime.com.br
  • caixa.com.br
  • caixa.gov.br
  • cef.com.br
  • citibank.com.br
  • hsbc.com.br
  • hsbcbrasil.com.br
  • itau.com.br
  • itauuniclass.com.br
  • real.com.br
  • safra.com.br
  • safranet.com.br
  • santander.com.br
  • santanderbanespa.com.br
  • santanderempresarial.com.br
  • serasa.com.br
  • serasaexperian.com.br
  • shopfacil.com.br
  • sicredi.com.br
  • www.americanexpress.com.br
  • www.bancodobrasil.com.br
  • www.bancoreal.com.br
  • www.bancosafra.com.br
  • www.banese.com.br
  • www.banespa.com.br
  • www.banrisul.com.br
  • www.bb.com.br
  • www.bradesco.com.br
  • www.bradescoprime.com.br
  • www.caixa.com.br
  • www.caixa.gov.br
  • www.cef.com.br
  • www.citibank.com.br
  • www.hsbc.com.br
  • www.hsbcbrasil.com.br
  • www.itau.com.br
  • www.itauuniclass.com.br
  • www.real.com.br
  • www.safra.com.br
  • www.safranet.com.br
  • www.santander.com.br
  • www.santanderbanespa.com.br
  • www.santanderempresarial.com.br
  • www.serasa.com.br
  • www.serasaexperian.com.br
  • www.shopfacil.com.br
  • www.sicredi.com.br
Additional information

TrojanProxy:JS/Banker.AC redirects traffic requests from your computer to the banking sites through a proxy server with either of the following IP addresses, using TCP port 80:

  • 187.109.161.24
  • 187.109.167.29
Related encyclopedia entries

TrojanProxy:Win32/Banker.AT

Analysis by Jireh Sanico


Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

Prevention


Alert level: Severe
First detected by definition: 1.139.43.0
Latest detected by definition: 1.139.43.0 and higher
First detected on: Oct 18, 2012
This entry was first published on: Oct 18, 2012
This entry was updated on: Nov 07, 2012

This threat is also detected as:
  • JS/ProxyChanger.P (Avira)
  • Virus.Proxy (Ikarus)
  • Trojan.JS.Banker.AZ (VirusBuster)
  • Trojan.JS.Banker.AM (BitDefender)
  • JS/ProxyChanger.P (Avira)