Home / malware TrojanSpy:Win32/Banker.USY
First posted on 27 March 2009.
Source: SecurityHomeAliases :
TrojanSpy:Win32/Banker.USY is also known as Also Known As:Win32/Spy.Agent (ESET), PSW.Banker3.QGK (AVG).
Explanation :
TrojanSpy:Win32/Bancos.USY is a password stealing trojan that targets specific online banking web sites. Captured credentials are sent via an SMTP post to a predefined email address.
Symptoms
System ChangesThe following system changes may indicate the presence of this malware:The presence of the following files:
C:Arquivos de programasWindows32.exe
C:Documents and SettingsAll UsersMenu IniciarProgramasInicializarWindows32.exe
C:Documents and SettingsAll Usersstart menuprogramsstartupWindows32.exeThe presence of the following registry modifications (for example): With data: "C:Arquivos de programasWindows32.exe"To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Adds value: "Windows32"
TrojanSpy:Win32/Bancos.USY is a password stealing trojan that targets specific online banking web sites. Captured credentials are sent via an SMTP post to a predefined email address.
Installation
TrojanSpy:Win32/Banker.USY has been distributed as a Win32 compressed and encrypted executable file with a file size of 2,226 kb. When the malware is executed it may drop a copy of itself to the following locations:C:Arquivos de programasWindows32.exe C:Documents and SettingsAll UsersMenu IniciarProgramasInicializarWindows32.exe C:Documents and SettingsAll Usersstart menuprogramsstartupWindows32.exe The registry is also modified to execute Win32/Banker.USY at the next Windows start (for example): Adds value: "Windows32"With data: "C:Arquivos de programasWindows32.exe"To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Payload
Steals Sensitive DataThe trojan checks for the presence of the following cookies in C:Documents and SettingsAdministratorCookies:@SIIBC[1].txt @internetbanking.caixa.gov[1].txt and@SIIBC[2].txt @internetbanking.caixa.gov[2].txt and proceeds to monitor for the following window names:"Nunca digite seus dados de acesso em e-mail"
"Cuidado com links e downloads contidos em mensagens promocionais"
"Escolha "senhas" diferentes do seu nascimento, CPF e n"
"Troque sua senha caso ela possa ser descoberta facilmente"
"Verifique um pequeno cadeado na parte inferior de seu navegador""Banco Bradesco S/A"
"Unibanco.com""Santander"
"HSBC Bank Brasil S.A. - No Brasil e no mundo, HSBC."
"Portal BANCO REAL - ABN AMRO""Credicard Citi Portal""Banco Nossa Caixa S.A"
"MercadoLivre Brasil" It also strips a window name of special characters and numerals and compares it to the following strings:"HTTPWWWCAIXACOMBRREDIRECTLINKSRINTERNETCAIXAASP" "INTERNETBANKINGCAIXA" "NOSSACAIXANETBANKING" If found TrojanSpy:Win32/Banker.USY may log credentials, and gather other personal information. Sends Captured DataThe trojan attempts to submit captured information to a predefined remote email address trying to use the gsmtp185.google.com SMTP server.Additional InformationIn the wild, this trojan may be downloaded after a user visits a hyperlink in a spammed e-mail message.
Analysis by Oleg PetrovskyLast update 27 March 2009