Win32/Bancodor [Threat Name] go to Threat

Win32/Bancodor.NAL [Threat Variant Name]

Category trojan
Size 446976 B
Detection created Jan 26, 2011
Detection database version 5821
Aliases Backdoor.Win32.Bancodor.i (Kaspersky)
  PWS-Banker.gen.b.trojan (McAfee)
  Backdoor:Win32/Bancodor.I (Microsoft)
  Infostealer.Bancos (Symantec)
Short description

Win32/Bancodor.NAL is a trojan that steals passwords and other sensitive information.

Installation

The trojan is usually a part of other malware.


The trojan does not create any copies of itself.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USRER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Logo" = "%malwarefilepath%"

The trojan tries to load and inject the C:\WINDOWS\M0002.DLL, C:\WINDOWS\K0001.DLL library into all running processes.

Information stealing

The trojan collects sensitive information when the user browses certain web sites.


The trojan collects various information when Internet Explorer is being used.


The virus searches for windows with the title containing any of the following strings:

  • :. BICBANCO .:: - Microsoft Internet Explorer
  • AAPF - Microsoft Internet Explorer
  • B A N R I S U L - Microsoft Internet Explorer
  • BBV - Microsoft Internet Explorer
  • BEC - Banco do Estado do Ceará - Microsoft Internet Explorer
  • BRB-Banknet - Microsoft Internet Explorer
  • Banco BBM - Microsoft Internet Explorer
  • Banco BCN S.A. - Microsoft Internet Explorer
  • Banco Banerj S/A. - Microsoft Internet Explorer
  • Banco Banestado S. A. - Banco Múltiplo - Microsoft Internet Explorer
  • Banco Itaú - Feito Para Você - Microsoft Internet Explorer
  • Banco Safra S.A. - Microsoft Internet Explorer
  • Banco Santander - Microsoft Internet Explorer
  • Banco Sudameris Brasil S.A. ò ò ò ò ò ò ò ò ò ò ò ò ò ò ò ò ò ò ò ò ò ò ò ò ò ò ò ò ò ò ò ò ò ò - Microsoft Internet Explorer
  • Banco do Nordeste - Microsoft Internet Explorer
  • Banco1.net - o seu banco na Internet - Microsoft Internet Explorer
  • Bandepe Internet Empresa - Microsoft Internet Explorer
  • BandepeOnline - Microsoft Internet Explorer
  • Banese - O Banco de Sergipe - Microsoft Internet Explorer
  • Banespa - Microsoft Internet Explorer
  • BankBoston - Microsoft Internet Explorer
  • Bem vindo ao Nossa Caixa Net Banking - Microsoft Internet Explorer
  • Bradesco - Colocando Colocando você sempre à frente - Microsoft Internet Explorer
  • Bradesco - Microsoft Internet Explorer
  • Caixa Econômica Federal - Microsoft Internet Explorer
  • Calculadora
  • Citibank - Microsoft Internet Explorer
  • Citibank Online - Microsoft Internet Explorer
  • Citibanking On Line - Microsoft Internet Explorer
  • Gerenciador Financeiro - Microsoft Internet Explorer
  • HSBC Bank Brasil S.A. - Banco Múltiplo - Microsoft Internet Explorer
  • Internet Banking Banespa - Microsoft Internet Explorer
  • Internet Banking Federal - Microsoft Internet Explorer
  • Itaú Personnalité - Microsoft Internet Explorer
  • Portal BANCO REAL - ABN AMRO - Microsoft Internet Explorer
  • Real Internet Banking - Microsoft Internet Explorer
  • Santander Internet Banking - Microsoft Internet Explorer
  • _ Safra Empresas _ - Microsoft Internet Explorer
  • https://bankline.itau.com.br/GRIPNET/gracgi
  • https://ibpf.unibanco.com.br - Microsoft Internet Explorer

The trojan collects the following information:

  • login passwords for certain applications/services
  • login user names for certain applications/services
  • operating system version
  • current screen resolution
  • disk serial number (without spaces)

The collected information is stored in the following files:

  • C:\­WINDOWS\­WFW\­ARQEVE.TXT
  • C:\­WINDOWS\­WFW\­ARQCLK.TXT
  • C:\­WINDOWS\­WFW\­ARQKEY.TXT
  • C:\­WINDOWS\­WFW\­BKP\­KEY.TXT
  • C:\­WINDOWS\­WFW\­BKP\­EVE.TXT
  • C:\­WINDOWS\­WFW\­BKP\­CLK.TXT
  • C:\­WINDOWS\­WFW\­BKP\­CLK%variable1%.BMP
  • C:\­WINDOWS\­WFW\­BKP\­BKP%variable2%.bck

The trojan attempts to send gathered information to a remote machine.


The trojan sends the information via e-mail. The trojan contains a list of (1) addresses.

Other information

It can execute the following operations:

  • capture screenshots
  • log keystrokes
  • send files to a remote computer

Please enable Javascript to ensure correct displaying of this content and refresh this page.