Trojan-Spy.Win32.Banker.fgw

From Total Malware Info

This Trojan is designed to steal confidential financial information. The file is a Windows PE-Executable compiled using Borland Delphi. This file is packed by TeLock. File has a size 2 736 128 346 bytes packed and about 4 583 Kbytes unpacked.

Installation

Once launched, the Trojan extracts itself to the Windows Startup directory:

• %Documents and Settings%\All Users\Start Menu\Programs\Startup\Windows32.exe

After that it registers file in the system registry to ensure that this file will be launched each time Windows is rebooted on the victim machine:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows32"="C:\Arquivos de programas\System\Windows32.exe"

Payload

After launching it downloads the file by the following link:

• http://h1.ri***y.com/shotteste/arq.ini

This link didn’t work at the moment of creating this description. The Trojan traces the opening of these pages in browser:

• https://www2.bancobrasil.com.br
• http://www.bradesco.com.br
• http://santander.com.br/portal/bsb/script/templates/GCMRequest.do?page=1010
• https://bradesconetempresa.com.br
• http://www.itau.com.br
• https://www2.bancobrasil.com.br/aapf/aai/erro.htm
• https://wwws3.hsbc.com.br/HOB-MEUHSBC/servlets/LoginMeuHSBC?
• https://wwws.nossacaixa.com.br/bemvindo.asp

Then the Trojan displays fake windows for the entering of user’s account’s information:

And sends this information to: inves***ation***xor@gmail.com

Removal instructions

1. Using Task Manager terminate the trojan process Exec32.exe.
2. Delete the following registry keys:

   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   "Windows32"="C:\Arquivos de programas\System\Windows32.exe"

3. Delete the executable file:
   • %Documents and Settings%\All Users\Start Menu\Programs\Startup\Windows32.exe
4. Perform the full scan of computer with Kaspersky Antivirus.