high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | January 2005 (3.89) |
| Protection available since | 17 November 2004 09:02:02 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Banker-AK is an information stealing Trojan.
The Trojan monitors a user's internet activity and attempts to steal passwords and login information for online banking websites.
Troj/Banker-AK installs two files, ccApps.exe and registro.exe in the folder C:\Windows\system and executes them.
CcApps.exe monitors a user's internet activity. When it detects access to one of the following websites the Trojan displays a fake login screen and records the user's login details:
http://www.bb.com.br
https://www11.bb.com.br
https://www2.bancobrasil.com.br
http://www.bradesco.com.br
https://wwwss.bradesco.com.br
http://www.caixa.com.br
http://www.itau.com.br
https://bankline.itau.com.br
The stolen information is logged in the file C:\Windows\system\rodando.txt.
Arquivo.exe is a self-extracting archive containing images used by the Trojan.
The following image files are created in the C:\Windows\system folder:
Bb.jpg
Bradesco.jpg
Branco.jpg
Caixa.jpg
Gerente.jpg
Itaerro.jpg
Itau.jpg
Tampao.jpg
Tc_Bradesco.jpg
Tc_Bradesco2.jpg
Tc_Virtual_Fisica.jpg
Tc_Virtual_Gerente.jpg
teclado_bg_top.jpg
teclado_bg_top1.jpg
Tela_Caixa.jpg
Tela_Itau.jpg
TelaSenhaBradesco.jpg
Registro.exe modifies the system registry, adding the following entries to ensure that ccApps.exe is run each time a user logs on and that it is not hindered by the Windows firewall.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
VGA
"C:\Windows\System\ccApps.exe"
HKLM\system\controlset001\services\sharedAccess\parameters\firewallPolicy\
standardProfile\authorizedApplications
C:\Windows\System\ccApps.exe
"C:\Windows\System\ccApps.exe:*:Enabled:ccApps.exe"
|
