Microsoft security software detects and removes this threat.

This family of data-stealing trojans can capture your online banking details, such as your login credentials and account numbers. They can then send this information to a malicious hacker.

They can be installed on your PC when you open an email attachment that looks like a greeting card.

Most variants target Brazilian bank customers.

What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior


Win32/Banker can be downloaded into your PC by other malware, often detected as Win32/Banload variants. Banker files can have file extensions of JPEG, SCR, GIF, CPL, VXD, PIF, or MP3.

Most Win32/Banker variants target customers of Brazilian banks; however some variants also target banks in Mexico, Argentina, Spain, France, United Kingdom, and Ireland, to name a few.

Many variants of Win32/Banker drop copies of themselves along with configuration files to different folders on the infected PC, such as the default Windows folder, the default Windows system folder, and the default startup folder. Its main executable might contain the string cartao, which is the Portuguese word for card.

Win32/Banker also often configures itself to run automatically each time Windows starts by editing the system registry, or by installing itself as a Browser Helper Object (BHO) with its own unique GUID.


Disables security software

Some variants try to disable security software like antivirus and firewall programs.

Steals banking information

Many Win32/Banker variants check what browsers are open and what websites the browsers are open to. Specifically, it checks if the webpage title or URL pertain to banking websites. Many variants log keystrokes to record whatever you enter to log onto the website. To be more effective at stealing your banking information, Win32/Banker might display a webpage similar in appearance to your actual banking website, in which case the credentials you enter are directly sent to a hacker. It can also take screenshots of your infected PC if you access the bank login page.

Win32/Banker send the stolen information to a hacker in different ways, including sending an email to the attacker, uploading the stolen information to a hacker's FTP site, and sending the information to the hacker via HTTP POST.

Proxy functionality

Some Win32/Banker variants drop a malicious configuration script that can redirect your Internet traffic through a hacker-controlled proxy. It does this by setting the following registry entry:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value : "AutoConfigUrl"
With data: "<path and file name of script>"

Analysis by Marianne Mallen


Alerts from your security software may be the only symptom.


Alert level: High
This entry was first published on: Jul 20, 2006
This entry was updated on: Sep 22, 2014

This threat is also detected as:
No known aliases