Troj/Banker-ELN attempts to redirect connections to a banking website to a spoof site.
Troj/Banker-ELN modifies the file <System>\drivers\etc\hosts, redirecting connections to the following web addresses to a fixed IP address:
www.banamex.com
banamex.com.mx
bancanetempresarial.banamex.com.mx
boveda.banamex.com
www.banamex.com.mx
www.bancanetempresarial.banamex.com.mx
www.boveda.banamex.com
The Trojan then opens the spoof site in the default browser.