pátek 24. února 2012

TrojanSpy:Win32/Banker


Encyclopedia entry
Updated: Apr 21, 2007  |  Published: Apr 21, 2007

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.117.3022.0
Released: Jan 17, 2012
Detection initially created:
Definition: 1.45.287.0
Released: Oct 07, 2008


 

Summary

Win32/Banker is a family of data-stealing Trojans. When Win32/Banker is installed on a computer, it can capture banking credentials such as account numbers and passwords from the user. The Trojan can then send the captured information to the attacker by various means. Many variants of Win32/Banker may appear as greeting card software. Most Win32/Banker variants target customers of Brazilian banks.


 

Symptoms

Many Win32/Banker variants may appear as greeting card software with a filename that contains the string "cartao" (which is Portugese for the English word "card") and may have file extension .exe., .pif, or .scr.


 

Technical Information (Analysis)

Win32/Banker is a family of data-stealing Trojans that captures banking credentials such as account numbers and passwords from computer users. It then relays the captured information to the attacker. Most Win32/Banker variants target customers of Brazilian banks; some variants target customers of other banks.
 
Many Win32/Banker variants monitor open Web-browser windows for bank names in the title bar or bank URLs in the address bar. Many variants log keystrokes to record credentials that a user enters at banking Web sites. To assist in capturing banking credentials, Win32/Banker may also replace or supplement legitimate bank Web pages with illegitimate Web pages.
 
Win32/Banker variants use various means of sending captured banking credentials to the attacker, including sending an e-mail to the attacker, uploading credentials to an attacker's FTP site, and posting credentials to an attacker's HTTP site.
 
Many variants of Win32/Banker copy themselves to various folders on the infected computer, such as <Windows folder> and <system folder>, and also drop other files there. The Trojan executable file may contain the string "cartao" (which is Portugese for the English word "card") and may have file extension .exe., .pif, or .scr. Win32/Banker may also configure itself to run automatically each time Windows starts, for example by creating entries in registry keys such as HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Some variants may also try to disable security-related software such as antivirus and firewall software.

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.