Trojan-Spy.Win32.Banker.clq
From Total Malware Info
This Trojan is designed to steal confidential financial information. The file is a Windows PE-Executable compiled using Borland Delphi. This file is packed by unknown method. File has a size 1 586 346 bytes packed and 4 994 560 bytes unpacked.
Installation
Once launched, the Trojan extracts itself to the Windows Startup directory:
%Documents and Settings%\All Users\Start Menu\Programs\Startup\Windows32.exe
The extracted file has a size 4 994 560 bytes and detected by Kaspersky Anti-Virus as Trojan-Spy.Win32.Banker.ciy.
After the installation it registers file in the system registry to ensure that this file will be launched each time Windows is rebooted on the victim machine:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "Windows32"="C:\Arquivos de programas\System\Windows32.exe"
Payload
When a connection to the Internet is established, the Trojan will open the following URL:
At the moment of writing, this link was not working.
This malware looks for opening of the folowing sites in Internet browser in order to steal the account information using keylogging and screenshot technics:
The malware logs the user information and sends them by e-mail over smtp server:
gsmtp185.google.com
to the following mail accounts:
123rede123@gmail.com ronelmascarenhas@gmail.com paulo.cavalcantigomesferreira@gmail.com
Removal instructions
- Using Task Manager terminate the trojan process Windows32.exe.
- Delete the following registry keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "Windows32"="C:\Arquivos de programas\System\Windows32.exe"
- Delete the executable file:
%Documents and Settings%\All Users\Start Menu\Programs\Startup\Windows32.exe
