Home / malwarePDF  

Trojan:BAT/Bancos.B


First posted on 16 January 2013.
Source: Microsoft

Aliases :

Trojan:BAT/Bancos.B is also known as BAT/Disabler.E.dropper (AVG), TR/Proxy.Banker.O.33 (Avira), BAT/Spy.Banker.AB trojan (ESET), Trojan.BAT.DNSChanger.b (Kaspersky), PWS-Banker!hdv (McAfee), Troj/DNSChan-NG (Sophos), TROJ_SPNR.03G312 (Trend Micro).

Explanation :



Installation

Trojan:BAT/Bancos.B may be installed by other malware. It may have the file names "ctfmon.exe" and "crash.bat" in the Windows Temporary Files folder.

It automatically runs every time you log on by creating the following registry entry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "C:\Windows\system32\userinit.exe,%temp%\ctfmon.exe"



Payload

Changes your computer's security settings

Trojan:BAT/Bancos.B changes your computer's security settings. It prevents notifications in Windows Security Center from appearing so that you are not notified if the following are disabled:

  • Your antivirus program
  • Windows Firewall
  • Automatic Windows updates


It does this by changing the following registry entries:

in subkey: HKLM\Software\Microsoft\Security Center
Sets value: "AntiVirusDisableNotify"
With data: "1"

In subkey: HKLM\Software\Microsoft\Security Center
Sets value: "FirewallDisableNotify"
With data: "1"

In subkey: HKLM\Software\Microsoft\Security Center
Sets value: "UpdatesDisableNotify"
With data: "1"

It also disables System Restore in your computer:

in subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "DisableSR"
With data: "1"

It also changes your DNS server to the IP address "8.8.8.8" if it can't reach the server "dnss.linetimex.org".

Trojan:BAT/Bancos.B also disables User Account Control (UAC):

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Sets value: "EnableLUA"
With data: "0>"

Steals sensitive information

Trojan:BAT/Bancos.B sends your Windows user name and computer name to a remote server, for example, the one located at the IP address "91.121.88.79".



Analysis by Zhitao Zhou

Last update 16 January 2013

 

TOP

Malware :

Family: