Threat behavior
TrojanSpy:Win32/Bancos.gen!A is a password stealing trojan, that targets specific online banking web sites. Captured credentials may be sent via SMTP e-mail to a specified e-mail address.
Installation
This trojan may be installed by a dropper or other malicious software, and may be present as the file '<system folder>\explori.exe'. The registry is modified to execute the trojan copy at each Windows start.
Adds value: "explorer"
With data: "<system folder>\explori.exe"
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Payload
Steals Sensitive Data
Win32/Bancos.gen!A may monitor web pages visited by the affected user and capture logon credentials for specific online financial sites such as the following:
bradesco.com.br
bb.com.br
bancobrasil.com.br
nossacaixa.com.br
Modifies System Security Settings
Win32/Bancos.gen!A may lower Windows security by adding extensions of "high-risk" file types to the "low-risk" category via the registry. For more information about high-risk and low-risk file types, view this
Microsoft Help & Support article, KB883260.
Modifies value: "LowRiskFileTypes"
With data: ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;
.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;"
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Analysis by Andrei Florin Saygo
Prevention