Trojan-Spy.Win32.Banker.bab
From Total Malware Info
Trojan program that steals confidential information from user’s machine It is Windows PE EXE-file. Original file is 483 385 bytes in size, packed with NsPack. Unpacked size is approx ~4 mb. Written in Delphi.
Installation
Creates the following registry entry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] System Update=<path to original trojan executable>
so the trojan executable would now be launched every time the windows starts.
Payload
Periodically searches the system for windows with the following titles:
- Internet Banking CAIXA - Microsoft Internet Explorer
- Banco Ita
- Banco Bradesco S/A - Microsoft Internet Explorer
- Banco Santander - Microsoft Internet Explorer
- Banespa - Microsoft Internet Explorer
If such window was found, Trojan immediately terminates window’s process and displays its own fake window. In this window Trojan imitates the functionality of web browser Internet Explorer on the internet sites of some banks. The view and functionality of displayed fake windows depends on the title of window that was found by Trojan in user’s system. All user entered data in fake windows are sent to malefactor’s email.
The look of displayed windows is following:
Also trojan periodically makes screenshots of user’s desktop and stores them in folder “Fotos” which is located in trojan’s working directory. These screenshots are also sent to malefactor’s email.
Removal Instructions
- Terminate trojan process.
- Delete trojan’s original executable.
- Delete the parameter from the following registry key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “System Update”
