Win32/PSW.Fakemsn [Threat Name] go to Threat

Win32/PSW.FakeMSN.NBM [Threat Variant Name]

Category trojan
Size 1550336 B
Aliases Trojan-Banker.Win32.Banbra.aebf (Kaspersky)
  TrojanSpy:Win32/Banker.RQ (Microsoft)
  Infostealer.Bancos (Symantec)
Short description

Win32/PSW.FakeMSN.NBM is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

The trojan does not create any copies of itself.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Msnsock" = "%malwarepath%"
Information stealing

Win32/PSW.FakeMSN.NBM is a trojan that steals sensitive information.


The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • e-mail addresses

The trojan gathers information related to the following services:

  • Facebook
  • Gmail
  • Hotmail
  • PayPal
  • Yahoo
  • UOL Mail
  • Terra Mail
  • Twitter
  • PagSeguro
  • Orkut
  • R7
  • Serasa Experian
  • globo
  • Lineage

The trojan displays the following fake dialog boxes:

The goal of the malware is to persuade the user to fill in personal information.


The trojan attempts to send gathered information to a remote machine.

Spreading via e-mail

The trojan spreads through links in spam emails which point to websites containing malware.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (10) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send gathered information
  • update itself to a newer version
  • send spam

The following programs are terminated:

  • msnmsgr.exe
  • firefox.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.