Home / malware TrojanSpy:Win32/Bancos.AEV
First posted on 30 December 2011.
Source: MicrosoftAliases :
TrojanSpy:Win32/Bancos.AEV is also known as Trojan.PWS.Banker.61210 (Dr.Web), Trojan-Banker.Win32.Banbra.amdu (Kaspersky), Mal/Bancos-Q (Sophos).
Explanation :
TrojanSpy:Win32/Bancos.AEV is a trojan that monitors and captures logon credentials for certain social networking websites and an online banking website. The stolen credentials are sent to an email adress for collection by an attacker.
Top
TrojanSpy:Win32/Bancos.AEV is a trojan that monitors and captures logon credentials for certain social networking websites and an online banking website. The stolen credentials are sent to an email adress for collection by an attacker.
Installation
TrojanSpy:Win32/Bancos.AEV is installed by other malware, such as TrojanDropper:Win32/Bancos.J and may be present as a .DLL as in the following example:
- C:\MessengerPlus\GoogleToolbar_32.dll
The registry is modified to run Bancos.AEV as a BHO so it executes when the web browser is launched.
Payload
Steals logon credentials
TrojanSpy:Win32/Bancos.AEV monitors for web browser access to the following online banking website logon form:
- https://bankline.itau.com.br/lgnet/itauf/bankline.htm
When logon details are entered, the information is stolen by the trojan. The trojan captures other information including the computer logon account user name, password and MAC address. The collected information is sent to an email address for collection by an attacker.
The trojan also attempts to monitor logon information entered for the following social networking websites and send the captured data via email as well:
- Orkut
Analysis by Francis Allan Tan Seng
Last update 30 December 2011
