Threat behavior
TrojanSpy:Win32/Bancos.WO is a password stealing trojan, that targets specific online banking websites. Captured credentials may be sent via SMTP (Simple Mail Transfer Protocol) email to a specified email address.
Installation
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
In the wild, we have observed the malware using the following names:
The trojan ensures its copy automatically runs each time Windows starts by creating the following registry entry:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "IExplUpd"
With data: “<Malware File>"
Payload
Steals user data
TrojanSpy:Win32/Bancos.WO may monitor webpages visited by the affected user and capture logon credentials for specific online financial sites, such as the following:
bradesco.com.br
bb.com.br
bancobrasil.com.br
nossacaixa.com.br
If a targeted site is visited, TrojanSpy:Win32/Bancos.WO captures sensitive user details, such as user names and passwords used on the site. Captured credentials may be sent via SMTP sever, for example, smtps.uol.com.br (200.221.62.7), or socom15.uol.com.br, to a specified email address. For example:
From: rc-delmondes@uol.com.br
To: martaria02@gmail.com
Subject: Avs: 00-15-5D-14-55-00 - Boa Sorte!!! <PC name>
Analysis by Wei Li
Prevention
