Malware type: Trojan

Aliases: Trojan-Downloader.Win32.Banload.bjo (Kaspersky), PWS-Banker.dldr (McAfee), Downloader.Bancos (Symantec), TR/Crypt.CFI.Gen (Avira), Troj/Banloa-AZ (Sophos), TrojanDownloader:Win32/Banload (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

Malware Overview

This Trojan may be downloaded from the Internet. It may also be dropped by another malware. Trend Micro has detected this Trojan being spammed via email. The spammed email message is in Portuguese language.

Below is a sample of the spammed email message:

It connects to the URL http://{BLOCKED}irealestate247.com to download a file, which Trend Micro detects as TSPY_BANKER.FWW. As a result, malicious routines of the downloaded spyware are exhibited on the affected system. The said spyware may steal information, such as user names and passwords, used in online banking Web sites.

It also opens an instance of Internet Explorer and accesses a Web page from the Web site www.youtube.com. The said page contains links to videos related to Saddam Hussein's execution. It does the said routine to hide its malicious routines.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jan. 7, 2007 10:51:59 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.