Follow:

 

TrojanSpy:Win32/Banker.PW


TrojanSpy:Win32/Banker.PW is a trojan that attempts to download other Win32/Banker trojan variants. Win32/Banker is a trojan that captures logon credentials for user accounts of certain online banking Web sites.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.

Threat behavior

TrojanSpy:Win32/Banker.PW is a trojan that attempts to download other Win32/Banker trojan variants. Win32/Banker is a trojan that captures logon credentials for user accounts of certain online banking Web sites.
Installation
TrojanSpy:Win32/Banker.PW may be downloaded and run by other malware. One observed source for this trojan was a server with an IP address 64.62.181.43.
Payload
Downloads arbitrary files
When run, TrojanSpy:Win32/Banker.PW displays a message with the following text in Portuguese:
 

Erro ao abrir arquivo ou pasta
 
Não é possível abrir arquivo. O arquivo ou pasta está corrompido e ilegível.

 
The above message suggests that it is not possible to open the file due to corruption or the file being unreadable. The trojan then attempts to download files from the domain "poderosa10.gratix.com" as the following:
 
C:\Arquivos de programas\DirectX.exe
C:\Arquivos de programas\reseta.exe
 
At the time of this writing, the files were not available for analysis.
 
Analysis by Patrik Vicol

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The display of the following message:
    Erro ao abrir arquivo ou pasta
  • Não é possível abrir arquivo. O arquivo ou pasta está corrompido e ilegível.
  • Alert notifications from installed antivirus software may be the only symptom(s).

Prevention


Alert level: Severe
First detected by definition: 1.79.51.0
Latest detected by definition: 1.161.1182.0 and higher
First detected on: Mar 16, 2010
This entry was first published on: May 13, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win-Troja/Genome.116224.G (AhnLab)
  • TR/ATRAPS.Gen (Avira)
  • Trojan.Touch.275 (Dr.Web)
  • Trojan-Downloader.Win32.Genome.akfz (Kaspersky)
  • Downloader-ACH (McAfee)
  • DLoader.AHJIE (Norman)
  • PE_DLOADER.AABC (Trend Micro)