TrojanSpy:Win32/Bancos.MV is a password stealing trojan that installs itself as a BHO (Browser Helper Object). It sends its stolen data to predefined e-mail addresses. It may also attempt to connect to certain IP addresses to download other files, which may be malware.
Installation
Upon execution, TrojanSpy:Win32/Bancos.MV creates the following hidden files, which are also detected as TrojanSpy:Win32/Bancos.MV, in the Windows folder:
- drvsvc.exe
- Setup.exe
- usrsvc.exe
- wmiprevse.exe
It also creates the following files in the Windows system folder:
- msado20.tlb
- MSNMessengerAPI.tlb
- NTsvc.ocx
- shdocwv.dll
The first three files are legitimate, while the last is detected as TrojanSpy:Win32/Bancos.MV.
To ensure that only one instance of the main TrojanSpy:Win32/Bancos.MV is running, it creates the mutex 'MSIdent Logon'.
To ensure that it runs every time Windows tarts, it creates the following registry entries:
Adds value: "Serviço de Drivers"
With data: "%WINDOWS%\drvsvc.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "wmiprevse"
With data: "%WINDOWS%\wmiprevse.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
It also creates the following keys to register its dropped files:
HKCR\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}
HKCR\CLSID\{EF9A4BA9-B071-4203-8E76-EB12C5547B41}
HKCR\Interface\{992756F9-2AE8-4E13-898B-0FD562184690}
HKCR\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}
HKCR\Interface\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}
HKCR\NTService.Control.1
HKCR\TypeLib\{D87F4475-BFC7-4FA4-9E65-77F4D6D60D2A}
HKCR\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}
HKCR\Yahoo.Toolbar
It registers its dropped copy as a BHO (Browser Helper Object) by creating the following subkey:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF9A4BA9-B071-4203-8E76-EB12C5547B41}
Payload
Downloads files
TrojanSpy:Win32/Bancos.MV attempts to download files from remote IP addresses, including 189.126.103.82.
Steals user credentials
Acting as a BHO, TrojanSpy:Win32/Bancos.MV may attempt to steal users' credentials when they visit certain Web sites. The stolen information may then be sent to various e-mail addresses.
Drops other malware
<system folder>\drivers\ntakrnl.sys
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It also creates the following registry entry to allow its dropped driver to act as a service:
Adds value: "DisplayName"
With data: "NT Automation Kernel System"
Adds value: "ImagePath"
With data: "<system folder>\drivers\ntakrnl.sys"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\NTAKRNL
Additional Information
TrojanSpy:Win32/Bancos.MV may display a fake WinZip error when it is run.
Analysis by Patrik Vicol