Trojan-Spy.Win32.Banker.dbb

From Total Malware Info

It is a Trojan used to steal information that is required to access certain on-line banks. The file is a Windows PE-Executable compiled using Borland Delphi. File is Packed by PEPatch and then TELock and has a size 1129472 bytes and unpacked size 5627392

Installation

After the installation it registers file in the system registry to ensure that this file will be launched each time Windows is rebooted on the victim machine:

  [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
  "WINDOWSUPDATE"="C:\Arquivos de programas\ExAlien.exe"

Payload

This malware waits the user enter certain web banking sites to steal information:

• Safra Net Banking
• Bradesco
• Unibanco
• Caixa
• Branco

Then traps the user showing a fake website created by the malware as a browser window. The Trojan waits for openning sites and then steals login information by keylogging and making screenshots:

• https://wwws.nos***aixa.com.br/bemvindo.asp
• https://www2.r***l.com.br/Rura***ank/principal.jsp

And sends them by email: pai***mor@g***l.com

Removal instructions

1. Using Task Manager terminate the trojan process exalien.exe
2. Delete the following registry keys:

     [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
     "WINDOWSUPDATE"="C:\Arquivos de programas\ExAlien.exe"
   

3. Delete the executable file:
   • "C:\Arquivos de programas\ExAlien.exe"
4. Use Kaspersky Anti-Virus to delete the Trojan. Update your antivirus databases and perform a full scan of the computer.