Home / malware TrojanSpy:Win32/Bancos.BK
First posted on 04 February 2009.
Source: SecurityHomeAliases :
TrojanSpy:Win32/Bancos.BK is also known as Also Known As:Trojan.Banker.LAR (BitDefender), Trojan-Banker.Win32.Banker.abpc (Kaspersky), W32/Smalltroj.IELI (Norman), Mal/EncPk-CU (Sophos), Packed.Generic.56 (Symantec), Packed/XPack (VirusBuster).
Explanation :
TrojanSpy:Win32/Bancos.BK is a trojan that captures logon credentials to online banking Web sites for banks located in Brazil and may connect to a remote Web site using TCP port 1433.
Symptoms
System ChangesThe following system changes may indicate the presence of this malware:The presence of the following registry values and data: In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsUser AgentPost Platform Value: "NetworkAddress"Wth data: "00 4D AA 07 A4 C4"In subkey: HKLMSOFTWAREDescriptionMicrosoftRpcUuidTemporaryData
Value: "Gbp Service"
In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
Value: "Embedded Web Browser from: http://bsalsa.com/"
TrojanSpy:Win32/Bancos.BK is a trojan that captures logon credentials to online banking Web sites for banks located in Brazil and may connect to a remote Web site using TCP port 1433.
Installation
The trojan may be installed by other potentially unwanted software or by a malicious Web site. When run, this trojan modifies the registry to execute the trojan at each Windows startup. Adds value: "Gbp Service" or "ashservecie"With data: "<path and filename of Win32/Bancos.BK>"To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun The trojan may be present as a file named "GbpSv.exe".
Payload
Modifies System SettingsThe trojan modifies the registry with the following data: Adds value: "Embedded Web Browser from: http://bsalsa.com/"With data: "0"To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsUser AgentPost Platform Adds value: "NetworkAddress"Wth data: "00 4D AA 07 A4 C4"To subkey: HKLMSOFTWAREDescriptionMicrosoftRpcUuidTemporaryData Captures Logon CredentialsThis trojan captures logon credentials when a user logs into an online banking site with certain domain names for banks located in Brazil. Connects With Remote ServerWin32/Bancos.BK attempts to connect to a remote Web site with the IP address 201.76.55.11 using TCP 1433.
Analysis by Subratam BiswasLast update 04 February 2009