Home / malware Trojan:DOS/Bancos.A
First posted on 24 November 2012.
Source: MicrosoftAliases :
Trojan:DOS/Bancos.A is also known as TR/Bancos.A.3 (Avira), TROJ_BURG.BT (Trend Micro), Trojan.Boot.Burg (Ikarus), Trojan.Boot.Burg.a (Kaspersky), Win32/TrojanDownloader.Banload.RGF (ESET).
Explanation :
Trojan:DOS/Bancos.A is a trojan that disables Microsoft antivirus and banking security software. It is a component of the Win32/Bancos family of information-stealing trojans.
The trojan disables security software to allow other Win32/Bancos components to more easily infect your computer and steal your information.
Installation
Trojan:DOS/Bancos.A is downloaded by TrojanDownloader:Win32/Banload.AHI. Once downloaded, Trojan:DOS/Bancos.A overwrites your computer's loading sequence (for example, in Windows XP it overwrites "C:\ntldr" and in Windows Vista it overwrites "C:\bootmgr").
Payload
Disables antivirus and banking security software
When installed, Trojan:DOS/Bancos.A overwrites your computer's loading sequence with its own loading menu, and claims that your computer must be restarted in order to apply critical security updates. The trojan then restarts your computer. The message is displayed in a window as follows:
The message translates from Portuguese as "Windows Updates will restart your computer to complete the installation of Critical Security Updates".
Upon restart, instead of loading into Windows, your computer displays a menu which appears for a fraction of a second. This menu contains a single "option", which is automatically selected, as follows:
The message translates from Portuguese as "Starting Microsoft Malicious Software Removal Tool".
This menu option displays the following screen while loading:
A screen then appears that, when translated from Portuguese, states the following:
ATTENTION: Virus-infected files were found
Starting virus removal process
Process started...
This process may take a while, depending on the amount of virus-infected files found
Do not turn off or restart your computer during this process
The trojan proceeds to search for and delete files related to a browser security product and certain Microsoft antivirus products, as follows:
- Microsoft Security Essentials
- Microsoft Malicious Software Removal Tool
- Windows Defender
- G-Buster Browser Defense
Once it has found and deleted these files, it presents messages which, when translated from Portuguese, state:
Process completed successfully...
Restarting the computer
The trojan restores your original loading sequence and restarts your computer. Your computer should boot normally, however your Microsoft antivirus and G-Buster Browser Defense products may no longer work correctly, and you will be unprotected against other attacks.
Additional information
The messages originally appear in Portuguese, as follows:
O Windows Update estó reiniciando seu computador para a finalização da instalação de Atualizações CrÃticas de Segurança
Iniciando a Ferramenta de Remocao de Software Mal-Intencionado da Microsoft
ATENÇÃO: foram localizados arquivos infectados com vÃrus
Iniciando processo de remoção de vÃrus
Processo iniciado...
Este processo pode demorar um pouco, dependendo da quantidade de arquivos infectados com vÃrus localizados
Não desligue nem reinicie seu computador durante esta processo
Processo concluido com sucesso...
Reiniciando o computador.
Related encyclopedia entries
Win32/Bancos
TrojanDownloader:Win32/Banload.AHI
Analysis by Sergey Chernyshev
Last update 24 November 2012