TSPY_BANCOS.SPL

This spyware gathers certain information on the affected computer. It attempts to steal information, such as user names and passwords, used when logging into certain banking or finance-related websites.

Installation

This spyware drops the following copies of itself into the affected system:

• %Windows%\Artigo.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Artigo = "%Windows%\Artigo.exe"

Other System Modifications

This spyware adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = 0

Information Theft

This spyware monitors the Internet Explorer (IE) activities of the affected system, specifically the address bar or title bar. It recreates a legitimate website with a spoofed login page if a user visits banking sites with the following strings in the address bar or title bar:

• IntErnetBAnkingCAIXA
• www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim&perfil=1
• HSBC Bank Brasil S.A. - Banco M
• BancoSantanderBrasil|Bancodojuntos
• Banco Itaú - Feito Para Você
• Bradesco

It accesses the following site to download its configuration file:

• http://www.{BLOCKED}bcn.com/images/list.txt - list of banks to be monitored

It gathers the following information on the affected computer:

• MAC Address
• Date and Time
• Host Name

It attempts to steal information from the following banks and/or other financial institutions:

• Banco do Brasil
• HSBC Bank Brasil
• Santander
• Banco Itau
• Bradesco

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

• http://www.{BLOCKED}sbcn.com/pdf/Gravatxt.php
• http://www.{BLOCKED}sbcn.com/images/arquivo.php