Home / malware TrojanSpy:Win32/Bancos.TE
First posted on 09 April 2010.
Source: SecurityHomeAliases :
TrojanSpy:Win32/Bancos.TE is also known as TR/Dldr.Delphi.Gen (Avira), Trojan-Banker.Win32.Banbra.tzm (Kaspersky), PWS-Banker!fol (McAfee), W32/DLoader.AHHRA (Norman), Trj/Banbra.GQO (Panda), Suspicious.MH690 (Symantec), Trojan.PWS.Banbra.KSL (VirusBuster).
Explanation :
TrojanSpy:Win32/Bancos.TE is a password stealing trojan that targets specific online banking web sites.
Top
TrojanSpy:Win32/Bancos.TE is a password stealing trojan that targets specific online banking web sites. InstallationThis trojan may be installed by other malware such as TrojanDownloader:Win32/Delf.JA. When run, TrojanSpy:Win32/Bancos.TE creates a copy of itself as the following: <system folder>\svchupd.exe The registry is modified to run the trojan copy at each Windows start. Adds value: "SvChUpd"
With data: €œ<system folder>\svchupd.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Payload Steals User InformationWin32/Bancos is a family of password-stealing trojans that captures online banking credentials, such as account login names and passwords, then relays the captured information to the attacker.
It may target customers of Brazilian banks sites, such as the following:bradesco.com.br bb.com.br bancobrasil.com.br nossacaixa.com.br rural.com.br Additional InformationTrojanSpy:Win32/Bancos.TE may alter the user agent value for the Web browser by modifying registry data. Adds value: "Embedded Web Browser from: http://bsalsa.com/"With data: "0"To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
Analysis by Wei LiLast update 09 April 2010