Trojan-Spy.Win32.Banker.fdc

From Total Malware Info

It is a Backdoor used to steal information that is required to access certain on-line banks. The file is a Windows PE-Executable compiled using Borland Delphi. File has a size 3 460 608 bytes and packed with PECompact. Unpacked file size is 7 332 352.

Installation

After the installation it registers file in the system registry to ensure that this file will be launched each time Windows is rebooted on the victim machine:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"windows32"="C:\Arquivos de programas\Windows32.exe"

Creates a batch file and sets a scheduled task to execute it on every startup with the name “startt”:

• C:\Autoexec.bat

Payload

This malware waits the user enter certain online banking websites to steal information;

• Bradesco
• Caixa
• CEF
• NossaCX
• Itau
• Banco Real
• Santander
• Hsbc
• Sua Conta
• Besc

Then traps the user showing a fake login windows created by the malware as a browser window:

The Trojan waits for openning sites and then steals login information by keylogging:

• https://bankline.itau.com.br/GRIPNET/bklcgi.exe
• https://www2.bancobrasil.com.br/aapf/aai/erro.htm
• https://wwws3.hsbc.com.br/HOB-MEUHSBC/servlets/LoginMeuHSBC?

The malware logs the user information and sends them by email:

• bo***viinfected@y***o.com.br
• so***nfe@gmail.com

mduda07@b***ail.org using smtp server:

• smtp.mail.y***o.com

Removal instructions

1. Using Task Manager terminate the trojan process Windows32.exe
2. Delete the following registry keys:

   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "windows32"="C:\Arquivos de programas\Windows32.exe"

3. Delete the executable file
   • "C:\Arquivos de programas\Windows32.exe"
   • "C:\Autoexec.bat"
4. Remove the scheduled task using the command on console:
   • schtasks /delete /tn "startt"
5. Use Kaspersky Anti-Virus to delete the Trojan. Update your antivirus databases and perform a full scan of the computer.