Trojan-Spy.Win32.Banker.aww
From Total Malware Info
Trojan program that steals confidential data from user’s machine. It is Windows PE-EXE-file. Original file is 603 224 bytes in size, packed by Upack. Unpacked size is ~6 Mb. Written in Delphi.
Installation
While launched Trojan copies own executable file as:
- %System%\Isass.scr
Creates the following registry key value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] boby.=%System%\Isass.scr
to make own executable be launched every time the Windows starts.
Payload
Periodically gets the foreground window of the following process: “Iexplore” and searches the following strings in its title:
- Gerenciador Financeiro - Microsoft Internet Explorer
- [bb.com.br] - Microsoft Internet Explorer
- Informe sua chave de acesso.
If there was found a window with any of those strings, Trojan displays the series of fake windows that look like Internet Explorer in which bank sites are opened. All data entered in those fake windows is sent to the malefactor’s email. Also Trojan keylogs the user input when visiting the following site:
- www2.bancobrasil.com.br.
Gathered data is then being sent to the following e-mail with the system info (OS version, current user name):
- br***l0123@gmail.com
Examples of displayed fake forms:
Example 1
Example 2
Also trojan downloads file from the following URL:
and saves it as:
- %Temp%\oham.tmp
after a successful download file is being launched by the Trojan.
Removal Instructions
- Terminate trojan process .
- Delete the original trojan file.
- Delete file:
- %System%\Isass.scr
- Delete registry key value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] boby.=%System%\Isass.scr
