Trojan:DOS/Bancos.A

Trojan:DOS/Bancos.A is a trojan that disables Microsoft antivirus and banking security software. It is a component of the Win32/Bancos family of information-stealing trojans.

The trojan disables security software to allow other Win32/Bancos components to more easily infect your computer and steal your information.

Installation

Trojan:DOS/Bancos.A is downloaded by TrojanDownloader:Win32/Banload.AHI. Once downloaded, Trojan:DOS/Bancos.A overwrites your computer's loading sequence (for example, in Windows XP it overwrites "C:\ntldr" and in Windows Vista it overwrites "C:\bootmgr"). 

Payload

Disables antivirus and banking security software

When installed, Trojan:DOS/Bancos.A overwrites your computer's loading sequence with its own loading menu, and claims that your computer must be restarted in order to apply critical security updates. The trojan then restarts your computer. The message is displayed in a window as follows:

The message translates from Portuguese as "Windows Updates will restart your computer to complete the installation of Critical Security Updates".

Upon restart, instead of loading into Windows, your computer displays a menu which appears for a fraction of a second. It uses a configuration file which we detect as Trojan:DOS/Bancos.A!cfg.

This menu contains a single "option", which is automatically selected, as follows:

The message translates from Portuguese as "Starting Microsoft Malicious Software Removal Tool".

This menu option displays the following screen while loading:

A screen then appears that, when translated from Portuguese, states the following:

ATTENTION: Virus-infected files were found
Starting virus removal process
Process started...
This process may take a while, depending on the amount of virus-infected files found
Do not turn off or restart your computer during this process

The trojan proceeds to search for and delete files related to a browser security product and certain Microsoft antivirus products, as follows:

• Microsoft Security Essentials
• Microsoft Malicious Software Removal Tool
• Windows Defender
• G-Buster Browser Defense

Once it has found and deleted these files, it presents messages which, when translated from Portuguese, state:

Process completed successfully...
Restarting the computer

The trojan restores your original loading sequence and restarts your computer. Your computer should boot normally, however your Microsoft antivirus and G-Buster Browser Defense products may no longer work correctly, and you will be unprotected against other attacks.

Additional information

The messages originally appear in Portuguese, as follows:

O Windows Update estó reiniciando seu computador para a finalização da instalação de Atualizações Críticas de Segurança

Iniciando a Ferramenta de Remocao de Software Mal-Intencionado da Microsoft

ATENÇÃO: foram localizados arquivos infectados com vírus
Iniciando processo de remoção de vírus
Processo iniciado...
Este processo pode demorar um pouco, dependendo da quantidade de arquivos infectados com vírus localizados
Não desligue nem reinicie seu computador durante esta processo

Processo concluido com sucesso...
Reiniciando o computador.

Related encyclopedia entries

Win32/Bancos

TrojanDownloader:Win32/Banload.AHI

Analysis by Sergey Chernyshev