Win32/Bancos is a family of data-stealing trojans that captures online banking credentials, such as account login names and passwords, then relays the captured information to the attacker. Most Win32/Bancos variants target customers of Brazilian banks, though some variants target customers of banks in other locations.
Many Win32/Bancos trojans monitor open Web-browser windows looking for bank names in the title bar or bank URLs in the address bar. The trojans may also log keystrokes to record credentials that a user enters at banking Web sites. To assist in capturing banking credentials, Win32/Bancos may also replace or supplement legitimate bank Web pages with fake Web pages disguised to look like the original. A sample of the fake web page is as follows:
The above text roughly translates to:
Dear customer,
A new fix for the registration of computers fixes a critical level of the client identification system that can cause data loss and access problems.
The update is simple and fast, just click the link below and then click Save and run immediately after, wait a few seconds and then follow the installation instructions,
http://<malware domain>/cadastramento_de_computadores .exe
If the link above does not work, click here to download.
Attention: All users must register and update the registration of computers. If the correction fails, your computer will be blocked and unlock can only be carried out in agencies of the box.
If you have questions, call the help desk box <telephone number>
Win32/Bancos trojans send the captured banking credentials to the attacker by e-mail, or uploading to an attacker's FTP site, or posting the stolen credentials to a web site.
A Win32/Bancos trojan might copy itself to various folders on the infected PC, such as the %windir% or <<startup folder>, and also drop other files there. The trojan executable file name might contain the string 'cartao', which is Portuguese for the English word 'card'.
The trojan might also configure itself to run automatically each time Windows starts, for example by creating entries in registry keys such as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Some Win32/Bancos trojans try to disable security-related software such as antivirus and firewall software.
