Home / malwarePDF  

TrojanSpy:Win32/Bancos.AER


First posted on 06 January 2012.
Source: Microsoft

Aliases :

TrojanSpy:Win32/Bancos.AER is also known as Trojan.PWS.Banker!5t+GB4qgJLo (Wild List ORG, PSW.Banker6.OJU (AVG), Trojan-Spy.Win32.Bancos (Ikarus), Trojan-Banker.Win32.Banker.sojk (Kaspersky).

Explanation :

TrojanSpy:Win32/Bancos.AER is a member of Win32/Bancos - a family of data-stealing trojans that captures online banking credentials, such as account login names and passwords, and relays the captured information to a remote attacker. Most Win32/Bancos variants target customers of Brazilian banks, though some variants target customers of banks in other locations.


Top

TrojanSpy:Win32/Bancos.AER is a member of Win32/Bancos - a family of data-stealing trojans that captures online banking credentials, such as account login names and passwords, and relays the captured information to a remote attacker. Most Win32/Bancos variants target customers of Brazilian banks, though some variants target customers of banks in other locations.



Installation

TrojanSpy:Win32/Bancos.AER may be installed by other potentially unwanted software or by a malicious website. It is composed of an EXE component that downloads a DLL component, which performs the information-stealing routine.

The DLL file is installed as a Browser Helper Object (BHO) with the following file name:

C:\ProgramData\<random number>.dll

For example, "C:\ProgramData\6.dll".

It creates the following registry entries to install its BHO component:

In subkey: HKLM\SOFTWARE\Classes\Software\Classes\CLSID\{<random CLSID>}
Sets value: "(default)"
With data: "0"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{<random CLSID>}\InprocServer32
Sets value: "(default)"
With data: "<path and file name of the DLL file>"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{<random CLSID>}
Sets value: "Noexplorer"
With data: "1"



Payload

Steals user information

TrojanSpy:Win32/Bancos.AER monitors websites that the user visits, most of which are related to online banking. It monitors the following websites, then captures user details:

  • internetbanking.caixa.gov.br
  • login.live.com
  • serasaexperian.com.br
  • sicredi.com.br


The user details are then sent to a remote attacker at the SQL server hosted in "dbsq<random digits>.whservidor.com".

Additional information

TrojanSpy:Win32/Bancos.AER may also have the capability to connect to a remote IRC server.



Analysis by Stefan Sellmer

Last update 06 January 2012

 

TOP

Malware :

Family: