high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 8 April 2005 03:43:24 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Banker-CA is a password stealing Trojan for the Windows platform.
When run, Troj/Banker-CA copies itself to the Windows system folder as mailman.exe and creates the following registry entry in order to run each time a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
mailman.exe
"<Windows system folder>\mailman.exe"
The Trojan searches the titles of all open windows for any of the following texts:
'Banco Rural - Microsoft Internet Explorer'
'Banco Nossa Caixa S.A. - Microsoft Internet Explorer'
'Banco Santander - Microsoft Internet Explorer'
'B A N R I S U L - Microsoft Internet Explorer'
'Caixa Econmica Federal - Microsoft Internet Explorer'
'[bb.com.br] - Microsoft Internet Explorer'
'Gerenciador Financeiro - Microsoft Internet Explorer'
'Banco Sudameris S.A. - Microsoft Internet Explorer'
'BESC - Banco do Estado de Santa Catarina - Microsoft Internet Explorer'
'BEC - Banco do Estado do Cear - Microsoft Internet Explorer'
'Banespa - Microsoft Internet Explorer'
'Bradesco - Colocando voc sempre frente - Microsoft Internet Explorer'
Troj/Banker-CA logs keypresses to TXT files in the following folder (created by the Trojan):
C:\Windows\SSH2\
The Trojan sends the collected information to a remote site via FTP.
|
