Trojan-Spy.Win32.Banker.ciy

From Total Malware Info

This Trojan is designed to steal confidential information. The file is a Windows PE-Executable compiled using Delphi. It’s unpacked, file size is 4994560 bytes.

Installation

After execution this it registers file into the directory:

• %Documents and Settings%\All Users\Start Menu\Programs\Startup\Windows32.exe

After that it registers file in the system registry to ensure that this file will be launched each time Windows is rebooted on the victim machine:

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows32"="C:\Arquivos de programas\System\Windows32.exe"

Payload

After launching it opens following page in Internet Explorer:

• https://internetcaixa.caixa.gov.br/NASApp/SIIBC/2a11c6f08b4c661eb14410ea7963b3.processa

This link didn’t work at the moment of creating this description.

The Trojan traces the opening of this page in browser:

• https://wwws.nossacaixa.com.br/bemvindo.asp

After that it works in resident mode and traces user’s key presses. It is also makes screenshots of web-pages that have data about user’s accounts. Then it sends this information with the ravine to:

• 12***de123@g***il.com
• Rone***renhas@g***il.com
• paulo.cavalcanti***sferreira@g***il.com

It uses the following smtp-server:

• gsmtp185.g***le.com

Removal instructions

If your computer wasn’t protected by Antivirus and was infected by this malware, you should perform next actions:
1. Using the Task Manager terminate the trojan process Windows32.exe.
2. Delete the following registry keys:

   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   "Windows32"="C:\Arquivos de programas\System\Windows32.exe"

3. Delete files:
   • %Documents and Settings%\All Users\Start Menu\Programs\Startup\Windows32.exe
4. Update your virus databases and perform a full scan of your computer with Kaspersky Antivirus.