Infostealer.Bancos!gen

Printer Friendly Page

Discovered: May 11, 2006
Updated: May 21, 2010 12:47:46 AM
Infection Length: Varies
Systems Affected: Windows

Infostealer.Bancos!gen is a generic detection for malware that gathers confidential financial information from the compromised computer.

These Trojans vary in their sophistication but they typically attempt to run undetected on the compromised computer and collect as much personal information as possible. The information collected may include details about the computer that the Trojan is installed on and also personal online login credentials for financial institutions.

The Trojan is most often spread by way of an email containing a social engineering trick such as a fake email from a bank asking the user to run the attached program and perform some other actions to verify their banking details. If the user complies with the request they could potentially reveal their account access information which may lead to significant financial loss.

The Trojan uses various icons including those from well known applications to disguise itself.


If a Symantec antivirus product displays a detection alert for this threat, it means the computer is already protected against this threat and the Symantec product will effectively remove this threat from the computer.

Antivirus Protection Dates

  • Initial Rapid Release version May 11, 2006
  • Latest Rapid Release version April 04, 2018 revision 019
  • Initial Daily Certified version May 11, 2006
  • Latest Daily Certified version April 04, 2018 revision 023
  • Initial Weekly Certified release date May 17, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Angela Thigpen and Jarrad Shearer

Discovered: May 11, 2006
Updated: May 21, 2010 12:47:46 AM
Infection Length: Varies
Systems Affected: Windows

Infostealer.Bancos!gen is a generic detection for malware that gathers confidential financial information from the compromised computer.


Background information
The Trojan often arrives as a large file attachment to an email enticing the user to open the file. Typical social engineering tricks used may include stories along the following lines:

  • Check out the latest screen saver
  • Open the attached file to verify your account details
  • Open the attached file to view a video

Once active on the compromised computer, the Trojan attempts to steal information and sends it to a predetermined email address.

Some variants also steal email addresses from Outlook accounts and post them to remote servers. These addresses are then used by the authors to spam the contacts with copies of the Trojan to acquire new victims.


Who creates the threat?
This Trojan is created by malware authors intending to make a profit by targeting customers of financial institutions when they attempt to use the web to conduct their business online. The information stolen may include personal information such as contact details as well as online access credentials which can allow access to bank account services online.


What can the threat do?
The Trojan can be configured to perform any of the following actions:
  • Captures Screenshots
  • Checks the title of active Internet Explorer Windows to see if it matches any preconfigured strings.
  • Delete all the URL cache and cookies.
  • Display a fake login screen for certain South American banking sites
  • Gather email addresses
  • May display a preconfigured message box
  • May search for and delete predetermined files
  • Record keystrokes
  • Register itself as a service
  • Replace the contents of hosts file
  • Search for and deletes files
  • Send an email with the collected information to the remote attacker
  • Monitor active Internet Explorer windows for user access to various web sites, particularly those of financial institutions.


What is stolen?
The information stolen by the Trojan may includes the following types:
  • Bank account information
  • Credit card numbers
  • Email addresses
  • Names
  • Passwords, PINs, and Bank Card Security Verification Numbers
  • Security question details


How is it stolen?
When the user visits a website that is being monitored by the Trojan, the Trojan mimics or manipulates the interface of these sites in an attempt to collect passwords and other sensitive information. It then logs the information entered by the user which will be sent to the remote attacker at a later time.




The authors of these Trojans are constantly evolving the capabilities of the Trojan to deal with new security measures. For example in response to new security measures instituted by certain financial institutions to use on-screen keyboards to defeat keystroke logging, the Trojan added functionality to steal financial information by using screen captures to record account access information.







Are there any tell-tale signs?
The Trojans are generally designed to be stealthy and are not easily spotted by the casual observer. In some instances the user may recognize discrepancies between the original login screen for a bank from one day to the next. For example some of these Trojans may inject extra fields into login screens to capture the full PIN when normally this information may not be requested in full or at all.

Some variants of Infostealer.Bancos display message boxes of various types to mislead or confuse the user.






What are the risks?
With financial and sensitive information at stake, there is no minimal risk with Infostealer.Bancos. Identity theft is the highest risk posed by information stealing Trojans and is a risk considered to be personally damaging to a user. Theft of login credentials for financial services can potentially lead to a large financial losses.


What can I do to minimize the risks?
As a general rule, users should always run up-to-date antivirus software with real-time protection such as Norton Antivirus, Norton Internet Security, Norton 360 or Symantec Endpoint Protection . In addition, a firewall -- or better still, an Intrusion Prevention System (IPS) -- will help to block download activities initiated by these types of malicious programs. Program controls such as those found in Symantec Endpoint Protection can also help to prevent programs such as these from executing in the first place.

Emails that spread Trojan horse programs can often appear to originate from people the user knows. Do not open or execute unexpected message attachments. Be particularly wary of emails informing that an online account has expired or requires confirmation of details. These are typical ploys used by criminals to trick users into revealing their details. In fact, most financial institutions do not send emails asking for sensitive information due to the security risk posed by doing so over email. If in doubt contact the institutions directly to verify the validity of any requests that may be received.


How can I find out more?
Advanced users can submit a sample to Threat Expert to obtain a detailed report of the system and file system changes caused by a threat.

Writeup By: Angela Thigpen and Jarrad Shearer

Discovered: May 11, 2006
Updated: May 21, 2010 12:47:46 AM
Infection Length: Varies
Systems Affected: Windows

You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk.

Before proceeding further we recommend that you run a full system scan . If that does not resolve the problem you can try one of the options available below.



FOR NORTON USERS
If you are a Norton product user, we recommend you try the following resources to remove this risk.

Removal Tool


If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .


How to reduce the risk of infection
The following resources provide further information and best practices to help reduce the risk of infection.


FOR BUSINESS USERS
If you are a Symantec business product user, we recommend you try the following resources to remove this risk.

Identifying and submitting suspect files
Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.


Removal Tool

If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .


How to reduce the risk of infection
The following resource provides further information and best practices to help reduce the risk of infection.
Protecting your business network



MANUAL REMOVAL
The following instructions pertain to all current Symantec antivirus products.

1. Performing a full system scan
How to run a full system scan using your Symantec product


2. Restoring settings in the registry
Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.

Writeup By: Angela Thigpen and Jarrad Shearer