Win32/Banker is a family of data-stealing Trojans that captures banking credentials such as account numbers and passwords from computer users. It then relays the captured information to the attacker.
Most Win32/Banker variants target customers of Brazilian banks; some variants target customers of other banks.
Many Win32/Banker variants monitor open Web-browser windows for bank names in the title bar or bank URLs in the address bar. Many variants log keystrokes to record credentials that a user enters at banking Web sites. To assist in capturing banking credentials, Win32/Banker may also replace or supplement legitimate bank Web pages with illegitimate Web pages.
Win32/Banker variants use various means of sending captured banking credentials to the attacker, including sending an e-mail to the attacker, uploading credentials to an attacker's FTP site, and posting credentials to an attacker's HTTP site.
Many variants of Win32/Banker copy themselves to various folders on the infected computer, such as <Windows folder> and <system folder>, and also drop other files there. The Trojan executable file may contain the string "cartao" (which is Portugese for the English word "card") and may have file extension .exe., .pif, or .scr. Win32/Banker may also configure itself to run automatically each time Windows starts, for example by creating entries in registry keys such as HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Some variants may also try to disable security-related software such as antivirus and firewall software.
Many Win32/Banker variants may appear as greeting card software with a filename that contains the string "cartao" (which is Portugese for the English word "card") and may have file extension .exe., .pif, or .scr.