Troj/Banker-DT is a password stealing Trojan aimed primarily at users of Brazilian banks.
Troj/Banker-DT may arrive as a self-extracting archive file. When first run, the archive will drop one EXE file and two DLL files. All of these files are detected as Troj/Banker-DT.
In order to run automatically each time Windows is started, Troj/Banker-DT will set the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Safe = <path to Trojan EXE>
Troj/Banker-DT will monitor a user's internet access. When certain pre-defined URLs are viewed, Troj/Banker-DT will record the user's keyboard presses and mouse movements. The Trojan will take screenshots of the user's activity.
Periodically, Troj/Banker-DT will archive the stolen information and email it to a Brazilian email address.
The following URLs are monitored:
http://www.bradesco.com.br
https://wwwss.bradesco.com.br/scripts/ib2k1.dll/LOGIN
https://wwwss.bradesco.com.br/scripts/ib2k1.dll/LOGINCHK#top
https://officebanking.bradesco.com.br/pj/iniciasessao.asp
http://www.cef.com.br
http://www.caixa.com.br
http://www.caixa.gov.br
http://www.caixaeconomica.com.br
http://www.cef.gov.br
https://internetcaixa.caixa.gov.br/NASApp/SIIBC/index_verif.processa
https://internetcaixa.caixa.gov.br/NASApp/SIIBC/valida
https://internetcaixa.caixa.gov.br/NASApp/SIIBC/senha
http://www.itau.com.br/indexIE.htm
https://bankline.itau.com.br/GRIPNET/gracgi.exe
https://itaubankline.itau.com.br/GRIPNET/gracgi.EXE
http://www.itaupersonnalite.com.br
http://www.banespa.com.br/portal/bnp
https://netbanking2.banespa.com.br/default.asp
http://www.santander.com.br/portal
https://www.santandernet.com.br/default.asp
http://www.hsbc.com.br
https://wwws3.hsbc.com.br/ITE/common/html/frameset.htm
http://www.bancoreal.com.br
http://www.abnamro.com
https://www2.realsecureweb.com.br/scripts/engine_brpi.dll
https://www.realsecureweb.com.br/scripts/engine_brpi.dll
http://www.unibanco.com.br
https://ibpf.unibanco.com.br/index.asp
http://www.bandepe.com.br
https://www128.bandepe.com.br/bol
http://acesso.bol.com.br/login.htm
http://webmail.terra.com.br
http://www.uol.com.br
http://email.uol.com.br
http://www.ig.com.br/v6/br
http://www.serasa.com.br
http://www.equifax.com.br/home.htm
http://www.aol.com.br/alg
http://my.screenname.aol.com/_cqr/login/login.psp?siteId=vatlasaol-br
&authLev=2&mcState=initialized&triedAimAuth=y
http://www.globo.com
http://webmail2.globo.com/jsp/signup/home.jsp
http://www.pop.com.br
http://login.passport.net/uilogin.srf?id=2
http://login.yahoo.com/config/mail?.intl=br
http://zipmail.uol.com.br
http://www.isbt.com.br/default1.asp
http://webmail.isbt.terra.com.br
http://www.ibest.com.br/site/home/1.715.html
http://ibestmail.ibest.com.br
https://www2.bancobrasil.com.br/aapf/aai/login.pbk