Home / malwarePDF  

TrojanProxy:JS/Banker.AC


First posted on 07 November 2012.
Source: Microsoft

Aliases :

TrojanProxy:JS/Banker.AC is also known as JS/ProxyChanger.P (Avira), Virus.Proxy (Ikarus), Trojan.JS.Banker.AZ (VirusBuster), Trojan.JS.Banker.AM (BitDefender), JS/ProxyChanger.P (Avira).

Explanation :



TrojanProxy:JS/Banker.AC is a JavaScript trojan that steals your personal information, such as your logon details, from certain Brazilian banking websites.



Installation

TrojanProxy:JS/Banker.AC is dropped and installed as "%SystemDrive%\prefs.js" by other malware, such as TrojanProxy:Win32/Banker.AT.

Note: %SystemDrive% refers to a variable location that is determined by the malware by querying the operating system. The drive letter for the System Drive in Windows 2000, XP, 2003, Vista, 7, and 8 is "C:".



Payload

Steals sensitive information

TrojanProxy:JS/Banker.AC intercepts data sent between your computer and certain Brazilian banking websites. The data it intercepts and steals could be your account login details, such as your username and password, and any other information you input on the site.

We have observed TrojanProxy:JS/Banker.AC monitoring the following sites:

  • americanexpress.com.br
  • bancodobrasil.com.br
  • bancoreal.com.br
  • bancosafra.com.br
  • banese.com.br
  • banespa.com.br
  • banrisul.com.br
  • bb.com.br
  • bradesco.com.br
  • bradescoprime.com.br
  • caixa.com.br
  • caixa.gov.br
  • cef.com.br
  • citibank.com.br
  • hsbc.com.br
  • hsbcbrasil.com.br
  • itau.com.br
  • itauuniclass.com.br
  • real.com.br
  • safra.com.br
  • safranet.com.br
  • santander.com.br
  • santanderbanespa.com.br
  • santanderempresarial.com.br
  • serasa.com.br
  • serasaexperian.com.br
  • shopfacil.com.br
  • sicredi.com.br
  • www.americanexpress.com.br
  • www.bancodobrasil.com.br
  • www.bancoreal.com.br
  • www.bancosafra.com.br
  • www.banese.com.br
  • www.banespa.com.br
  • www.banrisul.com.br
  • www.bb.com.br
  • www.bradesco.com.br
  • www.bradescoprime.com.br
  • www.caixa.com.br
  • www.caixa.gov.br
  • www.cef.com.br
  • www.citibank.com.br
  • www.hsbc.com.br
  • www.hsbcbrasil.com.br
  • www.itau.com.br
  • www.itauuniclass.com.br
  • www.real.com.br
  • www.safra.com.br
  • www.safranet.com.br
  • www.santander.com.br
  • www.santanderbanespa.com.br
  • www.santanderempresarial.com.br
  • www.serasa.com.br
  • www.serasaexperian.com.br
  • www.shopfacil.com.br
  • www.sicredi.com.br
Additional information

TrojanProxy:JS/Banker.AC redirects traffic requests from your computer to the banking sites through a proxy server with either of the following IP addresses, using TCP port 80:

  • 187.109.161.24
  • 187.109.167.29
Related encyclopedia entries

TrojanProxy:Win32/Banker.AT



Analysis by Jireh Sanico

Last update 07 November 2012

 

TOP

Malware :

Family: