TrojanSpy:Win32/Bancos.VI is a detection for a trojan online banking password stealer. The trojan installs components of Win32/Bancos.VI detected as
TrojanSpy:Win32/Bancos.VI!dll..
Installation
TrojanSpy:Win32/Bancos.VI may be received as a file attachment to a spammed email message within a self-extracting archive container file.
When the self-extracting archive is run, it drops files as the following:
-
c:\commonfiles\processr.exe - TrojanSpy:Win32/Bancos.VI
-
c:\commonfiles\svchost32.cpl - TrojanSpy:Win32/Bancos.VI!dll2
-
c:\commonfiles\xhostc.cpl - TrojanSpy:Win32/Bancos.VI!dll3
-
c:\commonfiles\xhostf.cpl - TrojanSpy:Win32/Bancos.VI!dll
When the main component "processr.exe" is run, it copies itself as the following:
The registry is modified to run the installed component at each Windows start.
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "process"
To data: "c:\commonfiles\process.exe"
Sets value: "process32"
To data: "c:\commonfiles\process32.exe"
Payload
Communicates with remote server
The trojan connects to specific websites to notify the attacker of the trojan installation. It uses its own smtp engine to send email, monitors email activity and may send user's emails from accounts like live.com, uol.com.br, globo.com and google.com. The trojan may also connect to a remote IRC server.
The trojan component "xhostc.cpl" attempts to filter and forward banking content from messages and message stores from files with the following extensions: *.dbx, *.mbx, *.mai, *.wab, *.tbb, *.eml, *.mbox.
Downloads arbitrary files
The component "svchost32.cpl" may contact specific websites to download more components such as "xhostr.exe", "xhostrr.exe", "winnet32.exe" and etcetera.
Logs keystrokes
Trojan:Win32/Bancos.VI functions as a key logger to record user entered data via the keyboard.
Monitors online banking
The trojan component "xhostf.cpl" monitors transaction activity for online banking sites "nossacaixa.com.br", "bancomer.com" and "hsbc.com.mx" (including Bradesco, Caixa banks etc).
In these cases, it may steal the login information and other sensitive data (such as version of Windows) and sends captured data in HTML format to a specific email address and contacts remote websites for notification of the trojan installation such as one of the following:
-
infx01.net
-
212.124.118.78
-
jacques.heliohost.org
-
captx03.hpgig.com.br
Analysis by Patrik Vicol
