Threat behavior
WinNT/Bancos is a component utilized by the Win32/Bancos family in order to attempt to bypass particular online banking security measures. Win32/Bancos is a family of data-stealing trojans that captures users' online banking credentials such as account login names and passwords. These trojans send the captured information to the attacker by e-mail, or by uploading it to an attacker's FTP site, or by posting it to an attacker's Web site. The Win32/Bancos trojans mostly target customers of Brazilian banks.
Installation
WinNT/Bancos has been observed being installed in the wild by trojan droppers (detected as Win32/Bancos variants) that masquerade themselves as coming from Microsoft. We have observed these droppers being distributed with the following file names in the wild:
-
microsoftgenuinexp.exe
-
MsGenuine.exe
Payload
Lowers system security
WinNT/Bancos is utilized by some Win32/Bancos variants to delete security files associated with Brazilian banking sites. This driver is designed to attempt to remove files from the following hardcoded locations:
\Device\HarddiskVolume1\Program Files\GbPlugin\gbpsv.exe
\Device\HarddiskVolume1\Program Files\GbPlugin\gbieh.dll
\Device\HarddiskVolume1\Program Files\GbPlugin\gbpdist.dll
\Device\HarddiskVolume1\Program Files\GbPlugin\gbieh.gmd
\Device\HarddiskVolume1\Program Files\GbPlugin\bb.gpc
\Device\HarddiskVolume1\Arquivos de Programas\GbPlugin\gbpsv.exe
\Device\HarddiskVolume1\Arquivos de Programas\GbPlugin\gbieh.dll
\Device\HarddiskVolume1\Arquivos de Programas\GbPlugin\.dll
\Device\HarddiskVolume1\Arquivos de Programas\GbPlugin\gbieh.gmd
\Device\HarddiskVolume1\Arquivos de Programas\GbPlugin\.gpc
\Device\HarddiskVolume1\Arquivos de Programas\Scpad\scpMIB.dll
\Device\HarddiskVolume1\Arquivos de Programas\Scpad\.dll
\Device\HarddiskVolume1\Arquivos de Programas\Scpad\sshib.dll
\Device\HarddiskVolume1\Arquivos de Programas\Scpad\scpIBCfg.bin
\Device\HarddiskVolume1\Arquivos de Programas\Scpad\scpLIB.dll
\Device\HarddiskVolume1\Program Files\Scpad\.dll
\Device\HarddiskVolume1\Program Files\Scpad\scpsssh2.dll
\Device\HarddiskVolume1\Program Files\Scpad\sshib.dll
\Device\HarddiskVolume1\Program Files\Scpad\scpIBCfg.
\Device\HarddiskVolume1\Program Files\Scpad\scpLIB.dll
\Device\HarddiskVolume1\Program Files\GbPlugin\.gpc
\Device\HarddiskVolume1\Program Files\GbPlugin\gbiehcef.dll
\Device\HarddiskVolume1\Arquivos de Programas\GbPlugin\gbiehcef.dll
\Device\HarddiskVolume1\Arquivos de Programas\GbPlugin\.gpc
\Device\HarddiskVolume1\Program Files\GbPlugin\gbiehuni.dll
\Device\HarddiskVolume1\Program Files\GbPlugin\uni.gpc
\Device\HarddiskVolume1\Arquivos de Programas\GbPlugin\.dll
\Device\HarddiskVolume1\Arquivos de Programas\GbPlugin\uni.gpc
Where \Device\HarddiskVolume1\ indicates the default Windows installation volume, usually C:\.
Additional Information
Analysis by Matt McCormack
Prevention
