Threat behavior
TrojanSpy:Win32/Bancos.TE is a password stealing trojan that targets specific online banking web sites.
Installation
This trojan may be installed by other malware such as
TrojanDownloader:Win32/Delf.JA. When run, TrojanSpy:Win32/Bancos.TE creates a copy of itself as the following:
<system folder>\svchupd.exe
The registry is modified to run the trojan copy at each Windows start.
Adds value: "SvChUpd"
With data: “<system folder>\svchupd.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Payload
Steals User Information
Win32/Bancos is a family of password-stealing trojans that captures online banking credentials, such as account login names and passwords, then relays the captured information to the attacker.
It may target customers of Brazilian banks sites, such as the following:
bradesco.com.br
bb.com.br
bancobrasil.com.br
nossacaixa.com.br
rural.com.br
Additional Information
TrojanSpy:Win32/Bancos.TE may alter the user agent value for the Web browser by modifying registry data.
Adds value: "Embedded Web Browser from: http://bsalsa.com/"
With data: "0"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
Analysis by Wei Li
Prevention
