Threat behavior
TrojanSpy:Win32/Bancos.OM is a detection for a trojan that steals user credentials from dialog boxes pertaining to online banking Web sites.
Installation
Payload
Steals user credentials
TrojanSpy:Win32/Bancos.OM attempts to execute the following commands to deregister a certain component, which may be a component of online banking protection software:
regsvr32 /u -s "c:\arquivos de programas\scpad\scpLIB.dll"
regsvr32 /u -s "c:\arquivos de programas\scpad\scpMIB.dll"
regsvr32 /u -s "c:\arquivos de programas\scpad\scpsssh2.dll"
regsvr32 /u -s "c:\arquivos de programas\scpad\sshib.dll"
TrojanSpy:Win32/Bancos.OM then attempts to find a dialog box with the title 'Certificado'. If found, it hides the original dialog box and displays the following fake dialog box:
It then gathers the information that may be entered in the fake dialog box. TrojanSpy:Win32/Bancos.OM then sends the gathered information to a predefined e-mail address using its own SMTP component.
It may then access the server 'bravox0005.hpg.com.br' for additional information.
Analysis by Shawn Wang
Prevention