Troj/Banker-AK

Please follow the instructions for removing Trojans.

Troj/Banker-AK is an information stealing Trojan.

The Trojan monitors a user's internet activity and attempts to steal passwords and login information for online banking websites.

Troj/Banker-AK installs two files, ccApps.exe and registro.exe in the folder C:\Windows\system and executes them.

CcApps.exe monitors a user's internet activity. When it detects access to one of the following websites the Trojan displays a fake login screen and records the user's login details:

http://www.bb.com.br
https://www11.bb.com.br
https://www2.bancobrasil.com.br
http://www.bradesco.com.br
https://wwwss.bradesco.com.br
http://www.caixa.com.br
http://www.itau.com.br
https://bankline.itau.com.br

The stolen information is logged in the file C:\Windows\system\rodando.txt.

Arquivo.exe is a self-extracting archive containing images used by the Trojan.

The following image files are created in the C:\Windows\system folder:

Bb.jpg
Bradesco.jpg
Branco.jpg
Caixa.jpg
Gerente.jpg
Itaerro.jpg
Itau.jpg
Tampao.jpg
Tc_Bradesco.jpg
Tc_Bradesco2.jpg
Tc_Virtual_Fisica.jpg
Tc_Virtual_Gerente.jpg
teclado_bg_top.jpg
teclado_bg_top1.jpg
Tela_Caixa.jpg
Tela_Itau.jpg
TelaSenhaBradesco.jpg

Registro.exe modifies the system registry, adding the following entries to ensure that ccApps.exe is run each time a user logs on and that it is not hindered by the Windows firewall.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
VGA
"C:\Windows\System\ccApps.exe"

HKLM\system\controlset001\services\sharedAccess\parameters\firewallPolicy\
standardProfile\authorizedApplications
C:\Windows\System\ccApps.exe
"C:\Windows\System\ccApps.exe:*:Enabled:ccApps.exe"