Troj/Bancos-EE is an Internet Banking Trojan for the Windows platform.
Troj/Bancos-EE targets the users of several Brazilian banks, by monitoring the user's internet activity and displaying fake login pages if the user visits certain predefined URLs. Any login details entered on the fake pages are logged.
Troj/Bancos-EE contains the functionality to email these logged details to a remote user.
When first run Troj/Bancos-EE copies itself to <Windows>\kernels32.exe and creates the file <Windows>\ieupdate.dat.
The file <Windows>\ieupdate.dat is a harmless file and can be safely deleted.
The following registry entries are created to run kernels32.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Service System
<Windows>\kernels32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Run
Service System
<Windows>\kernels32.exe
Troj/Bancos-EE may attempt to access the internet and download a file from a remote server via HTTP. At the time of writing, this file was unavailable.