Home / malware TrojanSpy:Win32/Bancos.MB
First posted on 16 April 2009.
Source: SecurityHomeAliases :
TrojanSpy:Win32/Bancos.MB is also known as Also Known As:PWS-Banker (McAfee), Mal_Banker (Trend Micro), Mal/Banspy-F (Sophos), Trojan-Downloader.Win32.Banload.wyq (Kaspersky), Win32/TrojanDownloader.Banload.WYQ (ESET).
Explanation :
TrojanSpy:Win32/Bancos.MB is a trojan that targets customers of certain online banking Web sites operating in Brazil by stealing user logon names and passwords. Captured credentials are sent to an attacker using HTTP.
Symptoms
System ChangesThe following system changes may indicate the presence of TrojanSpy:Win32/Bancos.MB:Presence of the malware as any of the following files: <system folder>Express.exe<system folder>Process.exe<system folder>Winblaster.exe<system folder>WinDkill.exe<system folder>Winsys32.exePresence the following registry value with data: Adds value: "<value>"With data: "<system folder><Win32/Bancos.MB filename>"To subkey: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
TrojanSpy:Win32/Bancos.MB is a trojan that targets customers of certain online banking Web sites operating in Brazil by stealing user logon names and passwords. Captured credentials are sent to an attacker using HTTP. The Bancos family consists of password-stealing trojans. They attempt to steal passwords and other confidential data from the infected computer. Many variants of this family masquerade as interfaces to online banking applications in order to trick the user into entering confidential data. The malware in this family is often created to target Brazilian online banking institutions.
Installation
This trojan may be installed by other malware. In the wild, this trojan has been observed to be present as any of the following files: <system folder>Express.exe<system folder>Process.exe<system folder>Winblaster.exe<system folder>WinDkill.exe<system folder>Winsys32.exe Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. During installation, this trojan may modify the registry in order to ensure that its copy is executed at each Windows start: Adds value: "<value>"With data: "<system folder><Win32/Bancos.MB filename>"To subkey: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
Payload
Captures & Sends Logon CredentialsWin32/Bancos is a family of password-stealing trojans that captures online banking credentials, such as account login names and passwords, then relays the captured information to the attacker via HTTP. This trojan targets customers of Brazilian banks sites, such as the following: bradesco.com.brbb.com.brbancobrasil.com.brnossacaixa.com.br
Analysis by Wei LiLast update 16 April 2009