Trojan-Spy.Win32.Banker.clx

From Total Malware Info

It is a Trojan used to steal information that is required to access certain on-line banks. The file is a Windows PE-Executable compiled using Borland Delphi. File has size 1751232 bytes and packed with eXpressor. Unpacked file size is 7631360.

Installation

After the installation it registers file in the system registry to ensure that this file will be launched each time Windows is rebooted on the victim machine:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"msm"="C:\Conf\msm.cmd"

Payload

This malware waits the user enter certain online banking websites to steal information:

• Caixa
• CEF
• NossaCX
• Itau
• Banco Real
• Santander
• Hsbc
• Sua Conta
• Besc

Then traps the user showing a fake windows created by the malware as a browser windows:

The Trojan waits for openning folowing sites and then steals login information by keylogging:

• https://www2.bancobrasil.com.br/aapf/aai/erro.htm
• https://wwws.nossacaixa.com.br/bemvindo.asp
• https://bankline.itau.com.br/GRIPNET/bklcgi.exe
• https://www.realsecureweb.com.br/scripts/engine_brpi.dll?OPERA=error?
• https://www.8.bansirul.com.br
• https://wwws3.hsbc.com.br/HOB-MEUHSBC/servlets/CONTAHSBC=error?
• https://ibank.besc.com.br
• https://wwws.nossacaixa.com.br/bemvindo.asp

The malware logs the user information and sends them by email:

• mar***ingrn@ho***il.com

using smtp server:

• gsmtp185.g***le.com

Removal instructions

1. Using Task Manager terminate the trojan process:
   • msm.cmd.
2. Delete the following registry keys:

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "msm"="C:\Conf\msm.cmd"

3. Delete the executable file
   • "C:\Conf\msm.cmd"
4. Use Kaspersky Anti-Virus to delete the Trojan. Update your antivirus databases and perform a full scan of the computer.