Threat behavior
TrojanSpy:Win32/Bancos.SZ is a password stealing trojan, that targets specific online banking web sites. Captured credentials may be sent via SMTP e-mail to a specified e-mail address.
Installation
This trojan may be installed by other malware such as
TrojanDownloader:Win32/Delf.JA. When run, it creates a mutex named "
CritOpMutex".
TrojanSpy:Win32/Bancos.SZ creates a copy of itself as the following:
<system folder>\iexplupd.exe
In the wild, we have seen the following file names used by the malware:
iexplupd.exe
msgrupd.exe
The trojan ensures its copy automatically runs every time Windows starts by creating the following registry entry:
Adds value: "IExplUpd"
With data: “<path and file name of TrojanSpy:Win32/Bancos.SZ>"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Payload
Steals online banking credentials
TrojanSpy:Win32/Bancos may monitor certain Web pages visited by a user on the affected computer and capture logon credentials for specific online financial sites such as the following:
bradesco.com.br
bb.com.br
bancobrasil.com.br
nossacaixa.com.br
If targeted site is visited, TrojanSpy:Win32/Bancos.SZ capture sensitive user details, such as user names and passwords for the site. Captured credentials may be sent via SMTP e-mail to a specified e-mail address. For example:
From: <paulodos1975@uol.c**.br>
To: <bomzao.2010@g***l.com>
Subject: "-= AGORA =?ISO-8859-1?Q?=C9?= SO ESPERAR =- AVM6"
Analysis by Wei Li
Prevention