Threat behavior
TrojanSpy:Win32/Banker.PW is a trojan that attempts to download other
Win32/Banker trojan variants. Win32/Banker is a trojan that captures logon credentials for user accounts of certain online banking Web sites.
Installation
TrojanSpy:Win32/Banker.PW may be downloaded and run by other malware. One observed source for this trojan was a server with an IP address 64.62.181.43.
Payload
Downloads arbitrary files
When run, TrojanSpy:Win32/Banker.PW displays a message with the following text in Portuguese:
Erro ao abrir arquivo ou pasta
Não é possível abrir arquivo. O arquivo ou pasta está corrompido e ilegível.
The above message suggests that it is not possible to open the file due to corruption or the file being unreadable. The trojan then attempts to download files from the domain "poderosa10.gratix.com" as the following:
C:\Arquivos de programas\DirectX.exe
C:\Arquivos de programas\reseta.exe
At the time of this writing, the files were not available for analysis.
Analysis by Patrik Vicol
Prevention