Win32/Spy.Bancos [Threat Name] go to Threat

Win32/Spy.Bancos.OBQ [Threat Variant Name]

Category trojan
Size 398080 B
Detection created Feb 21, 2011
Detection database version 5893
Short description

The trojan collects sensitive information when the user browses certain web sites. The trojan attempts to send gathered information to a remote machine. The file is run-time compressed using UPX, MPRESS .

Installation

The trojan does not create any copies of itself.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Java auto-updater" = "%malwarefilepath%"
Information stealing

The trojan collects sensitive information when the user browses certain web sites.


The following keywords are monitored:

  • itau.com.br/index_itau.htm
  • https://login.live.com/ppsecure/sha1auth.srf?lc=1046
  • http://login.live.com/login.srf
  • https://pagseguro.uol.com.br
  • https://www.paypal.com/br/cgi-bin/webscr?cmd=_login-run
  • https://www.google.com/accounts/servicelogin?service=orkut
  • http://www.uol.com.br
  • http://mail.terra.com.br/
  • http://www.locaweb.com.br/default.html
  • https://www.santandernet.com.br/MainFrame.asp
  • http://www.santander.com.br/portal/wps/script/templates/GCMRequest.do?page=6140
  • https://www.santandernet.com.br/paginas/CRM/Processa.asp
  • https://www.cetelem.com.br/wps/portal/cetelem/normal/NL/login

The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • user name
  • network adapter information
  • volume serial number
  • operating system version

The trojan attempts to send gathered information to a remote machine.


The HTTP protocol is used. The trojan contains a list of (51) URLs.

Other information

The trojan may create the text file:

  • AVS%diskserialnumber%%computername%.log

Please enable Javascript to ensure correct displaying of this content and refresh this page.