TSPY_BANCOS.BVB

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be downloaded from the following remote sites:

• http://{BLOCKED}2012.xpg.com.br/boa.pdf

Installation

This spyware creates the following folders:

• %System Root%\Documents and Settings\All Users\Application Data\TEMP

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Other System Modifications

This spyware adds the following registry keys:

HKEY_CLASSES_ROOT\CLSID\{83447388-F457-4723-9D09-6F486F161E1A}

HKEY_CLASSES_ROOT\CLSID\{8F577DD6-A889-B773-13C5-1FBA13C51FBA}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{8F577DD6-A889-B773-13C5-1FBA13C51FBA}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{83447388-F457-4723-9D09-6F486F161E1A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
EXT

It adds the following registry entries as part of its installation routine:

HKEY_CLASSES_ROOT\CLSID\{83447388-F457-4723-9D09-6F486F161E1A}\
InprocServer32
Default = "{malware path and filename}"

HKEY_CLASSES_ROOT\CLSID\{8F577DD6-A889-B773-13C5-1FBA13C51FBA}\
InprocServer32
Default = "%System%\dxtmsft.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{83447388-F457-4723-9D09-6F486F161E1A}\InprocServer32
Default = "{malware path and filename}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
EXT\CLSID
{83447388-F457-4723-9D09-6F486F161E1A} = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_ENABLE_SCRIPT_PASTE_URLACTION_IF_PROMPT
iexplore.exe = "dword:00000001"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{83447388-F457-4723-9D09-6F486F161E1A}
NoExplorer = "dword:00000001"