http://{BLOCKED}5.196.130/bfs/update.dat

 Analysis by: Giancarlo Ricamora

 URL BLOCKING DATE/TIME: 10 May 2012 04:45:00 PM GMT-8
 RATING: HIGH
 DOMAIN: 208.115.196.130
 CATEGORY: Disease Vector
 DESCRIPTION:

TSPY_BANKER.EUIQ accesses this site to download its configuration file. Its configuration file contains information such as the IP addresses or website addresses where this spyware redirects the user to, as well as the title strings of target banks.

This is also the site where TROJ_KILSRV.EUIQ may be downloaded from. TROJ_KILSRV.EUIQ is a component of TSPY_BANKER.EUIQ and it uninstalls software that protects Brazilian bank customers when they perform online banking transactions.