Troj/Bancos-BT is a password-stealing Trojan targeted at certain Brazilian online banking websites.
The Trojan displays fake login screens to a number of Brazilian banks that offer online services in an attempt to steal bank account details.
Troj/Bancos-BT is comprised of a multicomponent dropper and a main executable.
Upon execution the dropper creates in Windows system folder and runs the main executable with the filename marcx.exe, clean text files called foxdll.vxd and first.dll, and a clean DLL with the filename crss1.ocx which provides an SMTP Control for Visual Basic files.
A copy of the Trojan main executable is also created in the Windows help folder with the filename unicox.exe.
In order to be able to run automatically when Windows starts up, Troj/Bancos-BT sets the registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
foxwudy9912
"unicox.exe"
Troj/Bancos-BT also sets a number of registry entries related to the SMTP control DLL.