Trojan-Spy.Win32.Banker.cwo

From Total Malware Info

This Trojan is designed to steal confidential financial information. The file is a Windows PE-Executable compiled using Borland Delphi. This file is packed by TeLock. Unpacked file has a size about 7190 Kbytes.

Installation

Once launched, the Trojan extracts itself to the following directory:

• %Documents and Settings%\All Users\Start Menu\Programs\Startup\Windows32.exe

After that it registers file in the system registry to ensure that this file will be launched each time Windows is rebooted on the victim machine:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows32"="C:\Arquivos de programas\System\Windows32.exe"

Payload

The Trojan downloads the malware by the following link:

• http://h1.ri/shotteste/arq.ini

This link didn’t work at the moment of creating this description.

It creates the file in %WinDir%, where the “001” is stored:

• winload.inf

The Trojan traces the opening of this page in browser:

• https://wwws3.h***.com.br/HOB-MEUHSBC/servlets/LoginMeuHSBC?CONTAHSBC=

and also trases pages with the following phrases:

• Bankline
• Citibank Online

After that it works in resident mode, traces the user’s key presses and makes screenshots when the user visits certain websites and sends this information with the log to:

• Inv***tion.haxor@g***l.com

Removal instructions

If your computer wasn’t protected by Antivirus and was infected by this malware, you should perform next actions:

1. Using Task Manager terminate the trojan process Windows32.exe.
2. Delete the following registry keys:

   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   "Windows32"="C:\Arquivos de programas\System\Windows32.exe"

3. Delete the executable file:
   • %Documents and Settings%\All Users\Start Menu\Programs\Startup\Windows32.exe
4. Update your antivirus databases and perform a full scan of your computer with Kaspersky Antivirus.