Follow:

You have been re-routed to the TrojanSpy:Win32/Banker write up because TrojanSpy%3aWin32%2fBanker has been renamed to TrojanSpy:Win32/Banker
 

TrojanSpy:Win32/Banker


Win32/Banker is a family of data-stealing Trojans. When Win32/Banker is installed on a computer, it can capture banking credentials such as account numbers and passwords from the user. The Trojan can then send the captured information to the attacker by various means. Many variants of Win32/Banker may appear as greeting card software. Most Win32/Banker variants target customers of Brazilian banks.

Threat behavior

Win32/Banker is a family of data-stealing Trojans that captures banking credentials such as account numbers and passwords from computer users. It then relays the captured information to the attacker. Most Win32/Banker variants target customers of Brazilian banks; some variants target customers of other banks.
 
Many Win32/Banker variants monitor open Web-browser windows for bank names in the title bar or bank URLs in the address bar. Many variants log keystrokes to record credentials that a user enters at banking Web sites. To assist in capturing banking credentials, Win32/Banker may also replace or supplement legitimate bank Web pages with illegitimate Web pages.
 
Win32/Banker variants use various means of sending captured banking credentials to the attacker, including sending an e-mail to the attacker, uploading credentials to an attacker's FTP site, and posting credentials to an attacker's HTTP site.
 
Many variants of Win32/Banker copy themselves to various folders on the infected computer, such as <Windows folder> and <system folder>, and also drop other files there. The Trojan executable file may contain the string "cartao" (which is Portugese for the English word "card") and may have file extension .exe., .pif, or .scr. Win32/Banker may also configure itself to run automatically each time Windows starts, for example by creating entries in registry keys such as HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Some variants may also try to disable security-related software such as antivirus and firewall software.

Symptoms

Many Win32/Banker variants may appear as greeting card software with a filename that contains the string "cartao" (which is Portugese for the English word "card") and may have file extension .exe., .pif, or .scr.

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.179.1844.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Apr 21, 2007
This entry was updated on: Apr 21, 2007

This threat is also detected as:
No known aliases