Threat behavior
TrojanSpy:Win32/Banker.RQ is a data-stealing trojan that captures user’s credentials, such as account numbers and passwords. It then relays the captured information to a remote attacker. This trojan may also masquerade as a Portuguese language version of Windows Live Messenger.
Installation
TrojanSpy:Win32/Banker.RQ may be downloaded or dropped by other malware. In the wild, we have observed the trojan using the following file names:
When run, TrojanSpy:Win32/Banker.RQ terminates legitimate Windows Live Messenger process, if found on the affected computer.
The trojan then displays a fake Portuguese language version of the Windows Live Messenger icon and GUI, as seen in the example below:
The trojan ensures its copy automatically runs every time Windows starts by creating the following registry entry:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Msnsock"
With data: "<Malware file name>"
Payload
Contacts remote hosts
The malware may contact the following remote hosts using port 80:
- ferreiracosta1970.sites.uol.com.br
- jrp.santos.sites.uol.com.br
- bike50.sites.uol.com.br
- augustomarins.sites.uol.com.br
- tiagojfaria.sites.uol.com.br
- hostativohost.tempsite.ws
Terminates processes
TrojanSpy:Win32/Banker.RQ terminates the Windows Live Messenger and Firefox processes by running the following commands:
- taskkill /im msnmsgr.exe
- taskkill /im firefox.exe /
Analysis by Wei Li
Prevention
