Microsoft security software detects and removes this family of threats.
This family of data-stealing trojans can steal your online banking login details, such as your user names and passwords. They then send the stolen information to a malicious hacker. 
They mostly target Brazilian bank customers.

What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Win32/Bancos is a family of data-stealing trojans that captures online banking credentials, such as account login names and passwords, then relays the captured information to the attacker. Most Win32/Bancos variants target customers of Brazilian banks, though some variants target customers of banks in other locations.
Many Win32/Bancos trojans monitor open Web-browser windows looking for bank names in the title bar or bank URLs in the address bar. The trojans may also log keystrokes to record credentials that a user enters at banking Web sites. To assist in capturing banking credentials, Win32/Bancos may also replace or supplement legitimate bank Web pages with fake Web pages disguised to look like the original. A sample of the fake web page is as follows:
The above text roughly translates to:
Dear customer,
A new fix for the registration of computers fixes a critical level of the client identification system that can cause data loss and access problems.
The update is simple and fast, just click the link below and then click Save and run immediately after, wait a few seconds and then follow the installation instructions,
http://<malware domain>/cadastramento_de_computadores .exe
If the link above does not work, click here to download.
Attention: All users must register and update the registration of computers. If the correction fails, your computer will be blocked and unlock can only be carried out in agencies of the box.
If you have questions, call the help desk box <telephone number>
Win32/Bancos trojans send the captured banking credentials to the attacker by e-mail, or uploading to an attacker's FTP site, or posting the stolen credentials to a web site.
A Win32/Bancos trojan might copy itself to various folders on the infected PC, such as the %windir% or <<startup folder>, and also drop other files there. The trojan executable file name might contain the string 'cartao', which is Portuguese for the English word 'card'.
The trojan might also configure itself to run automatically each time Windows starts, for example by creating entries in registry keys such as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Some Win32/Bancos trojans try to disable security-related software such as antivirus and firewall software.


Alerts from your security software may be the only symptom.


Alert level: Severe
This entry was first published on: Aug 23, 2006
This entry was updated on: May 14, 2014

This threat is also detected as:
No known aliases