TSPY_BANBRA.EI

Download the latest scan engine

TypeSpyware

Aliases: PWS-Banker.gen.b (McAfee)

In the wild: No

Destructive: No

Language: English

Systems affected: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Low

Reported detections:

Low

System  impact:

High

Information exposure:

High
 

Description:

This memory-resident spyware is downloaded by another malware, which Trend Micro detects as TROJ_BANLOAD.GW.

It is downloaded by TROJ_BANLOAD.GW as the file IMGRT.SCR into the Windows system folder.

It monitors Internet banking Web sites accessed on the affected computer. It does the said routine by monitoring browser windows containing specific strings.

It steals online banking information such as account numbers and passwords. It does the said action by displaying a fake login console once an online banking Web site containing certain strings is accessed. All information gathered is sent to a remote user via email.

Description created:  Feb 18, 2006



TECHNICAL DETAILS



Initial samples received on:  Feb 17, 2006

File type: PE

Memory resident: Yes  

File size: 761,856 Bytes

Related toTROJ_BANLOAD.GW

Payload 1Displays fake login console

Details:

This memory-resident spyware is downloaded by another malware, which Trend Micro detects as TROJ_BANLOAD.GW.

It is downloaded by TROJ_BANLOAD.GW as the file IMGRT.SCR into the Windows system folder.

It monitors Internet banking Web sites accessed on the affected computer. It does the said routine by monitoring browser windows containing any of the following strings, which are related to online banking Web sites:

  • Banco da Amaz
  • Banco Ita
  • Banco Nossa Caixa
  • Banco Santander
  • bancobrasil
  • Banespa
  • Bradesco
  • Caixa Econ
  • Equifax
  • mica Federal
  • Serasa S.A.
  • Unibanco.com

It steals online banking information such as account numbers and passwords. It does the said action by displaying a fake login console once an online banking Web site containing certain strings is accessed. All information gathered is sent to a remote user via email.

This spyware runs on Windows 98, ME, NT, 2000, XP, and Server 2003.


Analysis by:  Erwin Boy-Ang Balunsat



SOLUTION


Minimum scan engine version needed: 7.000

Download the latest scan engine

Virus pattern version needed : 3.218.01

Pattern release date:  Feb 17, 2006


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Note: To fully remove all associated malware, perform the clean solution for TROJ_BANLOAD.GW.

Identifying the Spyware Program

To remove this spyware, first identify the spyware program.

  1. Scan your computer with your Trend Micro antivirus product.
  2. NOTE the path and file name of all files detected as TSPY_BANBRA.EI.

Trend Micro customers need to download the latest virus pattern file before scanning their computer. Other users can use Housecall, the Trend Micro online virus scanner.

Terminating the Spyware Program

This procedure terminates the running spyware process. You will need the name(s) of the file(s) detected earlier.

If the process you are looking for is not in the list displayed by Task Manager, proceed to the succeeding solution set.

  1. Open Windows Task Manager.
    • On Windows 98 and ME, press
    CTRL%20ALT%20DELETE
    • On Windows NT, 2000, XP, and Server 2003, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the spyware file(s) detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your computer.
  4. Do the same for all detected spyware files in the list of running processes.
  5. To check if the spyware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On computers running Windows 98 and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the spyware process.

On computers running all Windows platforms, if the process you are looking for is not in the list displayed by Task Manager or Process Explorer, continue with the next solution procedure, noting additional instructions. If the spyware process is in the list displayed by either Task Manager or Process Explorer, but you are unable to terminate it, restart your computer in safe mode.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as TSPY_BANBRA.EI. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.