Alert level

TrojanSpy:Win32/Bancos

(?)

Encyclopedia entry
Updated: Apr 17, 2011  |  Published: Jun 10, 2009

Aliases
  • Win-Trojan/Bancos (AhnLab)
  • W32/Bancos (Command)
  • Trojan horse PSW.Banker3 (AVG)
  • Trojan.Spy.Banker (BitDefender)
  • Win32/Bancos (CA)
  • Trojan-Banker.Win32.Bancos (Kaspersky)
  • PWS-Banker.gen.i (McAfee)
  • Trj/Bancos (Panda)
  • Troj/Banker (Sophos)
  • Infostealer.Bancos (Symantec)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.149.1902.0
Released: May 14, 2013 		Detection initially created:
Definition: 1.45.287.0
Released: Oct 07, 2008

 

Summary

TrojanSpy:Win32/Bancos is a family of password stealing trojans that target specific online banking Web sites commonly located in Brazil. Captured credentials may be sent to the attacker via e-mail, ftp or sent to a remote server through some other protocol depending on the variant.

Top

 

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

Top

 

Technical Information (Analysis)

TrojanSpy:Win32/Bancos is a family of password stealing trojans that target specific online banking Web sites commonly located in Brazil. Captured credentials may be sent to the attacker via e-mail, ftp or sent to a remote server through some other protocol depending on the variant.
Installation
This trojan may be installed by a trojan dropper or other malicious software and is frequently installed when visiting Web sites modified by an attacker, even a site the user may already trust. Frequently variants of this trojan will impersonate the Web sites of the targeted online banking systems in order to trick the user into entering their logon credentials or downloading other malware.
 
The Bancos family frequently modifies the registry within the following subkeys to execute the trojan at each Windows start:
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
 
In the wild, this trojan has been observed to have the following file names:
 
Windows32.exe
Win.exe
Arquivos.exe
sxe[0-9].tmp
sound.exe
service.exe
winupdbc.exe
Payload
Steals Sensitive Data
Win32/Bancos may monitor Web pages visited by the affected user and capture logon credentials for specific online financial sites such as the following:
 
bradesco.com.br
bb.com.br
bancobrasil.com.br
nossacaixa.com.br
cbp.3dsolution.com.br
 
The information sent may contain the following types of sensitive information:
 
Bank name
IP Address
Username and password used to login to the site
MAC Address
 
Terminates Security Software
Win32/Bancos may terminate processes of several security products such as the following:
 
nod32krn.exe
nod32kui.exe
nod32kui.exe
Kav.exe
McShield.exe
avgamsvr.exe
ccapp.exe
 
Lowers Windows Security
Win32/Bancos may lower Windows security by adding extensions of "high-risk" file types as "low-risk" by modifying registry data.
 
Modifies value: "LowRiskFileTypes"
With data: ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;
.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
 
Analysis by Josh Phillips

Top

 

Prevention

Take these steps to help prevent infection on your computer.


Top

 

Recovery

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Top

Provide feedback