Follow:

You have been re-routed to the TrojanSpy:Win32/Bancos.gen!A write up because TrojanSpy%3aWin32%2fBancos.gen!A has been renamed to TrojanSpy:Win32/Bancos.gen!A
 

TrojanSpy:Win32/Bancos.gen!A


TrojanSpy:Win32/Bancos.gen!A is a password stealing trojan, that targets specific online banking web sites. Captured credentials may be sent via SMTP e-mail to a specified e-mail address.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.

Threat behavior

TrojanSpy:Win32/Bancos.gen!A is a password stealing trojan, that targets specific online banking web sites. Captured credentials may be sent via SMTP e-mail to a specified e-mail address.
Installation
This trojan may be installed by a dropper or other malicious software, and may be present as the file '<system folder>\explori.exe'. The registry is modified to execute the trojan copy at each Windows start.
Adds value: "explorer"
With data: "<system folder>\explori.exe"
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Payload
Steals Sensitive Data
Win32/Bancos.gen!A may monitor web pages visited by the affected user and capture logon credentials for specific online financial sites such as the following:
  • bradesco.com.br
  • bb.com.br
  • bancobrasil.com.br
  • nossacaixa.com.br
 
Modifies System Security Settings
Win32/Bancos.gen!A may lower Windows security by adding extensions of "high-risk" file types to the "low-risk" category via the registry. For more information about high-risk and low-risk file types, view this Microsoft Help & Support article, KB883260.
 
Modifies value: "LowRiskFileTypes"
With data: ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;
.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;"
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
 
Analysis by Andrei Florin Saygo

Symptoms

System Changes
The following system changes may indicate the presence of Trojan:Win32/Bancos.gen!A:
  • Presence of the file <system folder>\explori.exe
  • Presence of this registry value and data:
    Adds value: "explorer"
    With data: "<system folder>\explori.exe"
    To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: May 07, 2008
This entry was updated on: May 26, 2010

This threat is also detected as:
  • Win-Trojan/Bancos.479720 (AhnLab)
  • Win32/Bancos.IVV (CA)
  • Trojan-Spy.Win32.Bancos.apq (Kaspersky)
  • Spy-Agent.cj.gen.h (McAfee)
  • W32/Banker.CDRQ (Norman)
  • Mal/Emogen-T (Sophos)
  • Trojan.Banker.Delf (Sunbelt Software)
  • Infostealer.Bancos (Symantec)
  • TSPY_BANKER.YY (Trend Micro)