Troj/Bancos-EC is an Internet Banking Trojan for the Windows platform.
Troj/Bancos-EC monitors the user's internet activity and displays fake login pages if the user visits certain predefined URLs. Any login details entered on the fake pages are logged.
The Trojan may attempt to send the stolen information to a remote address.
When first run Troj/Bancos-EC creates the following filenames:
<System>\drivers\copy38.exe
<System>\drivers\bzr.exe
<System>\drivers\lsassig.exe
<System>\drivers\rze.exe
<System>\drivers\sza.exe
<System>\drivers\uzn.exe
<System>\drivers\nze.exe
The Trojan also creates the following data files, which may be deleted:
<System>\drivers\bza.bxz
<System>\drivers\bzb.bxz
<System>\drivers\bzr.bxz
<System>\drivers\copy38.bxz
<System>\drivers\cza.bxz
<System>\drivers\izt.bxz
<System>\drivers\nze.bxz
<System>\drivers\rze.bxz
<System>\drivers\sza.bxz
<System>\drivers\uzn.bxz
<System>\windvx.sso
Troj/Bancos-EC may also store stolen information under the following folder:
<System>\drivers\temp_log - this may be deleted.
The following registry entry is created to run lsassig.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
lsassig
<System>\drivers\lsassig.exe