TrojanSpy:Win32/Bancos.ADL

TrojanSpy:Win32/Bancos.ADL is a trojan that attempts to steal login information for various banking websites.

Installation

TrojanSpy:Win32/Bancos.ADL drops itself as the file "<system folder>\fsrun.exe".

It also modifies the system registry so that it automatically runs every time Windows starts:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "microtools"
With data: "<system folder>\fsrun.exe"

Payload

Steals login information

TrojanSpy:Win32/Bancos.ADL attempts to steal login information for various banking websites by loading a malicious website similar in appearance to the legitimate website. All stolen information is then sent to a remote attacker via email.

The malicious website is loaded in place of the legitimate one because this malware deletes the computer's legitimate Hosts file and replaces it with its own copy, and which contains the address of the malicious website.

It attempts to download the malicious Hosts file from the server "60.<removed>.<removed>.202".

Deletes files

TrojanSpy:Win32/Bancos.ADL attempts to also delete the file "<system folder>\drivers\encore.dat".

Connects to a remote server

TrojanSpy:Win32/Bancos.ADL tries to connect to the server "60.<removed>.<removed>.179" via POST.

Analysis by Daniel Radu