Troj/Banker-BR is an information stealing Trojan aimed at customers of a Brazilian bank.
Troj/Banker-BR will monitor a user's internet access. When certain internet banking sites are visited, the Trojan will display a fake login screen in order to trick the user into entering their details.
Troj/Banker-BR will then send the stolen details to a Brazilian email address.
The Trojan will drop the main keylogging component file SYSDLL.EXE into the Wndows folder and creates the following registry entry so as to run itself on computer logon:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Media Player
%WINDOWS%\Sysdll.exe
The Trojan will also create the folder htmCache in the Windows folder and drops the following files into that folder:
ita.zip (zipped file containing html files and gif images)
itaok.html
ita\bg_box_teclado.gif
ita\error.htm
ita\principal.htm
ita\principal_jur.htm
These files are non-malicious and may be safely deleted.
Sophos's anti-virus products include Genotype ™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against Troj/Banker-BR (detected as Troj/Banker-Fam) since version 3.90