TrojanSpy:Win32/Bancos.gen!B is a password stealing trojan, that targets specific online banking Web sites. Captured credentials are sent via SMTP e-mail to a specified e-mail address.
The Bancos family consists of password-stealing trojans. They attempt to steal passwords and other confidential data from the infected computer. Many variants of this family masquerade as interfaces to online banking applications in order to trick the user into entering confidential data. The malware in this family is often created to target Brazilian online banking institutions.
Variants of this family are often distributed as an attachment to spammed e-mail messages. These malicious files may use a familiar icon such as the standard icon for Internet Explorer, or perhaps an "envelope" suggesting that the attached file is a message in order to fool users into executing the attachment.
Some variants have been observed to connect to an SMTP e-mail server named 'gsmtp185.google.com' in order to send and deliver e-mail.
Installation
When executed, this trojan may drop a copy of itself to the following locations:
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
The filename used differs according to minor variant. Common TrojanSpy:Win32/Bancos.gen!B file names observed in the wild include the following:
Windows32.exe
Win.exe
Arquivos.exe
sxe[0-9].tmp
sound.exe
service.exe
winupdbc.exe
At other times, the malware may use an .scr file extension.
During installation, this trojan may modify the registry in order to ensure that its copy is executed at each Windows start:
Adds value: <variable>
With data: <malware path and filename>
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Payload
Modifies System Security Settings
Bancos.gen!B may use the Windows program "netsh.exe" to modify the firewall, and allow itself to open ports.
Terminates Processes
Some variants of this malware drop a batch script file named "c:\start.bat to terminate security processes, or to remove files.
Analysis by Huzefa Mogri
