Home / malwarePDF  

TrojanSpy:Win32/Bancos.AHL


First posted on 26 June 2012.
Source: Microsoft

Aliases :

There are no other names known for TrojanSpy:Win32/Bancos.AHL.

Explanation :



TrojanSpy:Win32/Bancos.AHL is a member of Win32/Bancos - a family of data-stealing trojans that captures online banking credentials, such as account login names and passwords, and relays the captured information to a remote attacker. Most Win32/Bancos variants target customers of Brazilian banks, though some variants target customers of banks in other locations. Installation When executed, TrojanSpy:Win32/Bancos.AHL copies itself to %windir%\flashplayer.exe. The malware modifies the following registry entries to ensure that its copy executes at each Windows start:

Adds value: "flashplayer.exe"
With data: "c:\windows\flashplayer.exe"
To subkey: HKCU\Software\Microsoft\windows\currentversion\run The malware creates the following files on an affected computer:

  • %windir%\active.bat
  • %windir%\kbr9098798799.log
Payload Modifies system security settings TrojanSpy:Win32/Bancos.AHL modifies the affected computer system's security settings by making the following changes to the registry:

    • The malware may attempt to disable Firewall notifications from the Windows Security Center by making the following registry modification:

      Adds value: "FirewallDisableNotify"
      With data: "1"
      To subkey: HKLM\SOFTWARE\Microsoft\Security Center
    • The malware may attempt to disable antivirus notifications from the Windows Security Center by making the following registry modification:

      Adds value: "AntiVirusDisableNotify"
      With data: "1"
      To subkey: HKLM\SOFTWARE\Microsoft\Security Center
    • The malware may attempt to stop the Windows Security Center from displaying automatic update alerts by making the following registry modification:

      Adds value: "UpdatesDisableNotify"
      With data: "1"
      To subkey: HKLM\SOFTWARE\Microsoft\Security Center
Modifies browser settings The malware modifies web browser settings on the infected computer by making the following registry modification:

Adds value: "AutoConfigURL"
With data: ""
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Contacts remote hostThe malware may contact a remote host at www.br-promocao.com.br using port 80. Commonly, malware may contact a remote host for the following purposes:
  • To report a new infection to its author
  • To receive configuration or other data
  • To download and execute arbitrary files (including updates or additional malware)
  • To receive instruction from a remote attacker
  • To upload data taken from the affected computer

This malware description was produced and published using our automated analysis system's examination of file SHA1 2ca936e879c2356a7deeda8b659e840d047b9116.

Last update 26 June 2012

 

TOP

Malware :

Family: