Troj/Bancos-FJ is an Internet Banking Trojan for the Windows platform.
Troj/Bancos-FJ targets the users of several Brazilian banks, by monitoring the user's internet activity and displaying fake login pages if the user visits certain predefined URLs. Any login details entered on the fake pages are logged.
Troj/Bancos-FJ contains the functionality to email these logged details to a remote user.
Troj/Bancos-FJ attempts to copy the W32/Rox-A into memory so that it can infect files.
When first run Troj/Bancos-FJ copies itself to <Windows>\wernell87.exe and creates the file <Windows>\filedate.dat.
The file <Windows>\filedate.dat is harmless and can be safely deleted.
The following registry entries are created to run wernell87.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Service System
<Windows>\wernell87.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Run
Service System
<Windows>\wernell87.exe