Home / malwarePDF  

TrojanSpy:Win32/Banker.USY


First posted on 27 March 2009.
Source: SecurityHome

Aliases :

TrojanSpy:Win32/Banker.USY is also known as Also Known As:Win32/Spy.Agent (ESET), PSW.Banker3.QGK (AVG).

Explanation :

TrojanSpy:Win32/Bancos.USY is a password stealing trojan that targets specific online banking web sites. Captured credentials are sent via an SMTP post to a predefined email address.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    C:Arquivos de programasWindows32.exe
    C:Documents and SettingsAll UsersMenu IniciarProgramasInicializarWindows32.exe
    C:Documents and SettingsAll Usersstart menuprogramsstartupWindows32.exe
  • The presence of the following registry modifications (for example):
    Adds value: "Windows32"
  • With data: "C:Arquivos de programasWindows32.exe"To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun

    TrojanSpy:Win32/Bancos.USY is a password stealing trojan that targets specific online banking web sites. Captured credentials are sent via an SMTP post to a predefined email address.

    Installation
    TrojanSpy:Win32/Banker.USY has been distributed as a Win32 compressed and encrypted executable file with a file size of 2,226 kb. When the malware is executed it may drop a copy of itself to the following locations:
  • C:Arquivos de programasWindows32.exe
  • C:Documents and SettingsAll UsersMenu IniciarProgramasInicializarWindows32.exe
  • C:Documents and SettingsAll Usersstart menuprogramsstartupWindows32.exe
  • The registry is also modified to execute Win32/Banker.USY at the next Windows start (for example): Adds value: "Windows32"With data: "C:Arquivos de programasWindows32.exe"To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun

    Payload
    Steals Sensitive DataThe trojan checks for the presence of the following cookies in C:Documents and SettingsAdministratorCookies:
  • @SIIBC[1].txt
  • @internetbanking.caixa.gov[1].txt
  • and
  • @SIIBC[2].txt
  • @internetbanking.caixa.gov[2].txt
  • and proceeds to monitor for the following window names:"Nunca digite seus dados de acesso em e-mail"
    "Cuidado com links e downloads contidos em mensagens promocionais"
    "Escolha "senhas" diferentes do seu nascimento, CPF e n"
    "Troque sua senha caso ela possa ser descoberta facilmente"
    "Verifique um pequeno cadeado na parte inferior de seu navegador""Banco Bradesco S/A"
    "Unibanco.com""Santander"
    "HSBC Bank Brasil S.A. - No Brasil e no mundo, HSBC."
    "Portal BANCO REAL - ABN AMRO""Credicard Citi Portal""Banco Nossa Caixa S.A"
    "MercadoLivre Brasil" It also strips a window name of special characters and numerals and compares it to the following strings:
  • "HTTPWWWCAIXACOMBRREDIRECTLINKSRINTERNETCAIXAASP"
  • "INTERNETBANKINGCAIXA"
  • "NOSSACAIXANETBANKING"
  • If found TrojanSpy:Win32/Banker.USY may log credentials, and gather other personal information. Sends Captured DataThe trojan attempts to submit captured information to a predefined remote email address trying to use the gsmtp185.google.com SMTP server.Additional InformationIn the wild, this trojan may be downloaded after a user visits a hyperlink in a spammed e-mail message.

    Analysis by Oleg Petrovsky

    Last update 27 March 2009

     

    TOP