Initial samples received on:
Feb 17, 2006
Memory resident: Yes
File size: 761,856 Bytes
Displays fake login console
This memory-resident spyware is downloaded by another malware, which Trend Micro detects as TROJ_BANLOAD.GW.
It is downloaded by TROJ_BANLOAD.GW as the file IMGRT.SCR into the Windows system folder.
It monitors Internet banking Web sites accessed on the affected computer. It does the said routine by monitoring browser windows containing any of the following strings, which are related to online banking Web sites:
- Banco da Amaz
- Banco Ita
- Banco Nossa Caixa
- Banco Santander
- Caixa Econ
- mica Federal
- Serasa S.A.
It steals online banking information such as account numbers and passwords. It does the said action by displaying a fake login console once an online banking Web site containing certain strings is accessed. All information gathered is sent to a remote user via email.
This spyware runs on Windows 98, ME, NT, 2000, XP, and Server 2003.
Analysis by: Erwin Boy-Ang Balunsat