Printer Friendly Page

Discovered: July 17, 2003
Updated: April 29, 2010 4:35:04 PM
Also Known As: New Malware.j [McAfee], PWSteal.Bancos [Symantec], Banbra.GRW [Panda Software]
Infection Length: 911,962 bytes and 258,048 bytes
Systems Affected: Windows

Infostealer.Bancos is a detection name used by Symantec to identify malicious software programs that gather confidential financial information from the compromised computer.

These Trojans vary in their sophistication but they typically attempt to run undetected on the compromised computer and collect as much personal information as possible. The information collected may include details about the computer that the Trojan is installed on and also personal online login credentials for financial institutions.

The Trojan is most often spread by way of an email containing a social engineering trick such as a fake email from a bank asking the user to run the attached program and perform some other actions to verify their banking details. If the user complies with the request they could potentially reveal their account access information which may lead to significant financial loss.

If a Symantec antivirus product displays a detection alert for this threat, it means the computer is already protected against this threat and the Symantec product will effectively remove this threat from the computer.

Antivirus Protection Dates

  • Initial Rapid Release version July 17, 2003
  • Latest Rapid Release version January 13, 2020 revision 022
  • Initial Daily Certified version July 17, 2003 revision 007
  • Latest Daily Certified version January 14, 2020 revision 002
  • Initial Weekly Certified release date July 23, 2003

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Technical Description

Infostealer.Bancos is a detection name used by Symantec to identify malicious software programs that gather confidential financial information from the compromised computer.

Background information
Infostealer.Bancos first appeared in the Summer of 2003 targeting mainly Brazilian banks. Initially, the Trojans targeted one particular financial institution per variant, but this method of targeting one institution per variant was not always successful. To try and increase the success rate, the malware authors began targeting multiple financial institutions per variant.

With this new functionality of targeting multiple financial institutions, Infostealer.Bancos branched out to include other South American banks. The Trojan often arrives as a large file attachment to an email enticing the user to open the file. Typical social engineering tricks used may include stories along the following lines:

  • Check out the latest screen saver
  • Open the attached file to verify your account details
  • Open the attached file to view a video

Once active on the compromised computer, the Trojan attempts to steal information and sends it to a predetermined email address.

Some variants also steal email addresses from Outlook accounts and post them to remote servers. These addresses are then used by the authors to spam the contacts with copies of the Trojan to acquire new victims.

Who creates Infostealer.Bancos?
This Trojan is created by malware authors intending to make a profit by targeting customers of financial institutions when they attempt to use the web to conduct their business online. The information stolen may include personal information such as contact details as well as online access credentials which can allow access to bank account services online.

What can Infostealer.Bancos do?
The Trojan can be configured to perform any of the following actions:
  • Captures Screenshots
  • Checks the title of active Internet Explorer Windows to see if it matches any preconfigured strings.
  • Delete all the URL cache and cookies.
  • Display a fake login screen for certain South American banking sites
  • Gather email addresses
  • May display a preconfigured message box
  • May search for and delete predetermined files
  • Record keystrokes
  • Register itself as a service
  • Replace the contents of hosts file
  • Search for and deletes files
  • Send an email with the collected information to the remote attacker
  • Monitor active Internet Explorer windows for user access to various web sites, particularly those of financial institutions.

What is stolen?
The information stolen by the Trojan may includes the following types:
  • Bank account information
  • Credit card numbers
  • Email addresses
  • Names
  • Passwords, PINs and Bank Card Security Verification Number
  • Security question details

How is it stolen?
When the user visits a web site that is being monitored by the Trojan, the Trojan mimics or manipulates the interface of these sites in an attempt to collect passwords and other sensitive information. It then logs the information entered by the user which will be sent to the remote attacker at a later time.

The authors of these Trojans are constantly evolving the capabilities of the Trojan to deal with new security measures. For example in response to new security measures instituted by certain financial institutions to use on-screen keyboards to defeat key stroke logging, the Trojan added another technique to steal financial information by using screen captures to record account access information.

Are there any tell-tale signs?
The Trojans are generally designed to be stealthy and are not easily spotted by the casual observer. In some instances the user may recognize discrepancies between the original login screen for a bank from one day to the next. For example some of these Trojans may inject extra fields into login screens to capture the full PIN when normally this information may not be requested in full or at all.

The Trojan often arrives as an email attachment with the .scr extension appearing most frequently.

Some variants of Infostealer.Bancos display message boxes of various types to mislead or confuse the user.

The Trojan may email the remote attacker with the stolen information. The emails may have the following characteristics:

Message body:
The message body contains some of the following information:
  • Email User name
  • Email Password
  • POP3 server name for The BAT!
  • POP3 server name for Outlook
  • POP3 server name for Outlook Express
  • The contents of the clipboard
  • The IP address of the compromised computer

What are the risks?
With financial and sensitive information at stake, there is no minimal risk with Infostealer.Bancos. Identity theft is the highest risk posed by information stealing Trojans and is a risk considered to be personally damaging to a user. Theft of login credentials for financial services can potentially lead to a large financial loss.

What can I do to minimize the risks?
As a general rule, users should always run up-to-date antivirus software with real-time protection such as Norton Antivirus, Norton Internet Security, Norton 360 or Symantec Endpoint Protection . In addition, a firewall -- or better still, an Intrusion Prevention System (IPS) -- will help to block download activities initiated by these types of malicious programs. Program controls such as those found in Symantec Endpoint Protection can also help to prevent programs such as these from executing in the first place.

Emails that spread Trojan horse programs can often appear to originate from people the user knows. Do not open or execute unexpected message attachments. Be particularly wary of emails informing that an online account has expired or requires confirmation of details. These are typical ploys used by criminals to trick users into revealing their details. If in doubt contact the institutions directly to verify the validity of any requests that may be received.

How can I find out more?
Advanced users can submit a sample to Threat Expert to obtain a detailed report of the system and file system changes caused by a threat.


You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk.

Before proceeding further we recommend that you run a full system scan . If that does not resolve the problem you can try one of the options available below.

If you are a Norton product user, we recommend you try the following resources to remove this risk.

Removal Tool

If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .

How to reduce the risk of infection
The following resources provide further information and best practices to help reduce the risk of infection.

If you are a Symantec business product user, we recommend you try the following resources to remove this risk.

Identifying and submitting suspect files
Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.

Removal Tool

If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .

How to reduce the risk of infection
The following resource provides further information and best practices to help reduce the risk of infection.
Protecting your business network

The following instructions pertain to all current Symantec antivirus products.

1. Performing a full system scan
How to run a full system scan using your Symantec product

2. Restoring settings in the registry
Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.

Writeup By: Angela Thigpen