Troj/Bancban-CQ is an information stealing Trojan for the Windows platform.
Troj/Bancban-CQ copies itself to the Windows folder as iexplore_.exe and creates the following registry entry to ensure it is run at system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
cmssapp
<Windows folder>\iexplore_.exe
Troj/Bancban-CQ monitors which URLs are visited by the web browser and redirects fake web pages for the following Brazilian banking URLs:
http://www.alfanet.com.br
http://www.bancodobrasil.com.br
http://www.bancoreal.com.br
http://www.banespa.com.br
http://www.bankboston.com.br
http://www.bb.com.br
http://www.bcn.com.br
http://www.bradesco.com.br
http://www.bradesconet.com.br
http://www.citibank.com.br
http://www.hsbc.com.br
http://www.itau.com.br
http://www.itaupersonnalite.com.br
http://www.unibanco.com.br
http://www2.bancodobrasil.com.br
http://wwws3.hsbc.com.br
https://bankline.itau.com.br
https://banklineplus.itau.com.br
https://home.citidirect-br.citibank.com
https://ibpf.unibanco.com.br/index.asp
https://itaubankline.itau.com.br
https://www.banco
https://www.mastercard
https://www.visa
https://www2.realsecureweb.com.br
https://wwws.bradescoseguros.com.br
https://wwwss.bradesco.com.br
https://wwwss.bradescoprime.com.br
The Trojan will log personal account information. The logged information is sent to remote users via email.