TROJ_BANKER.JTB

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data. It attempts to steal information, such as user names and passwords, used when logging into certain banking or finance-related websites.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following copies of itself into the affected system:

• C:\Documents and Settings\All Users\Application Data\{malware file name}.exe

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{malware file name}.exe = C:\Documents and Settings\All Users\Application Data\{malware file name}.exe

Information Theft

This spyware monitors the Internet Explorer (IE) activities of the affected system, specifically the address bar. It recreates a legitimate website with a spoofed login page if a user visits banking sites with the following strings in the address bar and/or title bar:

• https://www.santandernet.com.br/default.asp?txtAgencia=
• https://www2.rural.com.br/RuralIBank/login_conta.jsp?acao=cadastraUsuario
• https://wwwss.bradesco.com.br/scripts/ib2k1.dll/
• https://wwwss.bradesco.com.br/scripts/ib2k1.dll/LOGIN
• https://wwwss.bradesc .com.br/scripts/ib2k1.dll/TAC/VRFSENHAATUAL

The spoofed login overlaps the legitimate login area of the website, thus tricking the user into thinking that it is part of the IE window. The spoofed login page is located in a fixed area of the legitimate website. The said routine tricks the user into giving out sensitive account-related information. It then logs keystrokes entered by the user in the user name and password fields of the spoofed login page.

It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

It attempts to steal information from the following banks and/or other financial institutions:

• Banco Rural
• Banco Santander
• Bradesco

Drop Points

This spyware sends the information it gathers to the following email addresses:

• {BLOCKED}rteza@uol.com.br
• {BLOCKED}010@uol.com.br
• {BLOCKED}detudo@uol.com.br
• {BLOCKED}i5090@gmail.com

Variant Information

This spyware has the following MD5 hashes:

• 42b21e4a5c1a4adc9ac98f3d99c5960c

It has the following SHA1 hashes:

• e1ab7f4f8f867d038c5b67b3359731b41375e768