TrojanSpy:Win32/Banker.PW is a trojan that attempts to download other Win32/Banker
trojan variants. Win32/Banker is a trojan that captures logon credentials for user accounts of certain online banking Web sites.
TrojanSpy:Win32/Banker.PW may be downloaded and run by other malware. One observed source for this trojan was a server with an IP address 126.96.36.199.
Downloads arbitrary files
When run, TrojanSpy:Win32/Banker.PW displays a message with the following text in Portuguese:
Erro ao abrir arquivo ou pasta
Não é possível abrir arquivo. O arquivo ou pasta está corrompido e ilegível.
The above message suggests that it is not possible to open the file due to corruption or the file being unreadable. The trojan then attempts to download files from the domain "poderosa10.gratix.com" as the following:
C:\Arquivos de programas\DirectX.exe
C:\Arquivos de programas\reseta.exe
At the time of this writing, the files were not available for analysis.
Analysis by Patrik Vicol