Follow:

 

Win32/Bancos


Microsoft security software detects and removes this family of threats.
 
This family of data-stealing trojans can steal your online banking login details, such as your user names and passwords. They then send the stolen information to a malicious hacker. 
 
They mostly target Brazilian bank customers.
 


What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Win32/Bancos is a family of data-stealing trojans that captures online banking credentials, such as account login names and passwords, then relays the captured information to the attacker. Most Win32/Bancos variants target customers of Brazilian banks, though some variants target customers of banks in other locations.
 
Many Win32/Bancos trojans monitor open Web-browser windows looking for bank names in the title bar or bank URLs in the address bar. The trojans may also log keystrokes to record credentials that a user enters at banking Web sites. To assist in capturing banking credentials, Win32/Bancos may also replace or supplement legitimate bank Web pages with fake Web pages disguised to look like the original. A sample of the fake web page is as follows:
 
 
The above text roughly translates to:
 
Dear customer,
 
A new fix for the registration of computers fixes a critical level of the client identification system that can cause data loss and access problems.
 
The update is simple and fast, just click the link below and then click Save and run immediately after, wait a few seconds and then follow the installation instructions,
 
http://<malware domain>/cadastramento_de_computadores .exe
 
If the link above does not work, click here to download.
 
Attention: All users must register and update the registration of computers. If the correction fails, your computer will be blocked and unlock can only be carried out in agencies of the box.
 
If you have questions, call the help desk box <telephone number>
 
Win32/Bancos trojans send the captured banking credentials to the attacker by e-mail, or uploading to an attacker's FTP site, or posting the stolen credentials to a web site.
 
A Win32/Bancos trojan might copy itself to various folders on the infected PC, such as the %windir% or <<startup folder>, and also drop other files there. The trojan executable file name might contain the string 'cartao', which is Portuguese for the English word 'card'.
 
The trojan might also configure itself to run automatically each time Windows starts, for example by creating entries in registry keys such as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Some Win32/Bancos trojans try to disable security-related software such as antivirus and firewall software.

Symptoms

Alerts from your security software may be the only symptom.


Prevention


Alert level: Severe
This entry was first published on: Aug 23, 2006
This entry was updated on: Sep 22, 2014

This threat is also detected as:
No known aliases