Troj/Bancos-BW is a password stealing Trojan for the Windows platform that
targets customers of Brazilian banks.
Once executed Troj/Bancos-BW copies itself to the Windows system folder with the filename REGCXDINAF.EXE and in order to be able to run automatically when Windows starts up sets the registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Regcxdinaf
%SYSTEM%\REGCXDINAF.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Regcxdinaf
%SYSTEM%\REGCXDINAF.EXE
Troj/Bancos-BW will also create two non-malicious microsoft DLL's mswinsck.ocx and richtx32.ocx in the Window system folder. The Trojan may also copy these files to the Windows folder. The files are not malicious and may be deleted if the user wishes.
Troj/Bancos-BW monitors a user's internet access, and when certain internet banking sites are visited, the Trojan will display a fake login screen in order to trick the user into inputting their details.
Troj/Bancos-BW may also try to connect to a predefined website.