TROJ_BANLOAD.YZV

This malware is involved in a socially-engineered spam campaign leveraging the popularity of messaging application, WhatsApp. It is offered as a download of the alleged 'desktop' version of the app. Once downloaded, this malware downloads a banking Trojan onto the affected system. Users affected by this malware may find their online bank accounts compromised.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Arrival Details

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}.{BLOCKED}.44.136/Telefones.&.Celulares/Smartphones/iPhone-5S-Apple&16GB&com&Tela-4-iOS-7-Touch&ID&Camera-8MP&Wi-Fi&3G-4G-GPS-MP3&e&Bluetooth-Dourado.aspx=36/chamana18.asp

It saves the files it downloads using the following names:

• %System Root%\HqtStWinBck.exe - detected as TSPY_BANKER.YZV

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.