1. Symantec/
  2. Security Response/
  3. Infostealer.Bancos


Risk Level 1: Very Low

July 17, 2003
April 29, 2010 4:35:04 PM
Also Known As:
New Malware.j [McAfee], PWSteal.Bancos [Symantec], Banbra.GRW [Panda Software]
Infection Length:
911,962 bytes and 258,048 bytes
Systems Affected:
Infostealer.Bancos is a detection name used by Symantec to identify malicious software programs that gather confidential financial information from the compromised computer.

Background information
Infostealer.Bancos first appeared in the Summer of 2003 targeting mainly Brazilian banks. Initially, the Trojans targeted one particular financial institution per variant, but this method of targeting one institution per variant was not always successful. To try and increase the success rate, the malware authors began targeting multiple financial institutions per variant.

With this new functionality of targeting multiple financial institutions, Infostealer.Bancos branched out to include other South American banks. The Trojan often arrives as a large file attachment to an email enticing the user to open the file. Typical social engineering tricks used may include stories along the following lines:
  • Check out the latest screen saver
  • Open the attached file to verify your account details
  • Open the attached file to view a video

Once active on the compromised computer, the Trojan attempts to steal information and sends it to a predetermined email address.

Some variants also steal email addresses from Outlook accounts and post them to remote servers. These addresses are then used by the authors to spam the contacts with copies of the Trojan to acquire new victims.

Who creates Infostealer.Bancos?
This Trojan is created by malware authors intending to make a profit by targeting customers of financial institutions when they attempt to use the web to conduct their business online. The information stolen may include personal information such as contact details as well as online access credentials which can allow access to bank account services online.

What can Infostealer.Bancos do?
The Trojan can be configured to perform any of the following actions:
  • Captures Screenshots
  • Checks the title of active Internet Explorer Windows to see if it matches any preconfigured strings.
  • Delete all the URL cache and cookies.
  • Display a fake login screen for certain South American banking sites
  • Gather email addresses
  • May display a preconfigured message box
  • May search for and delete predetermined files
  • Record keystrokes
  • Register itself as a service
  • Replace the contents of hosts file
  • Search for and deletes files
  • Send an email with the collected information to the remote attacker
  • Monitor active Internet Explorer windows for user access to various web sites, particularly those of financial institutions.

What is stolen?
The information stolen by the Trojan may includes the following types:
  • Bank account information
  • Credit card numbers
  • Email addresses
  • Names
  • Passwords, PINs and Bank Card Security Verification Number
  • Security question details

How is it stolen?
When the user visits a web site that is being monitored by the Trojan, the Trojan mimics or manipulates the interface of these sites in an attempt to collect passwords and other sensitive information. It then logs the information entered by the user which will be sent to the remote attacker at a later time.

The authors of these Trojans are constantly evolving the capabilities of the Trojan to deal with new security measures. For example in response to new security measures instituted by certain financial institutions to use on-screen keyboards to defeat key stroke logging, the Trojan added another technique to steal financial information by using screen captures to record account access information.

Are there any tell-tale signs?
The Trojans are generally designed to be stealthy and are not easily spotted by the casual observer. In some instances the user may recognize discrepancies between the original login screen for a bank from one day to the next. For example some of these Trojans may inject extra fields into login screens to capture the full PIN when normally this information may not be requested in full or at all.

The Trojan often arrives as an email attachment with the .scr extension appearing most frequently.

Some variants of Infostealer.Bancos display message boxes of various types to mislead or confuse the user.

The Trojan may email the remote attacker with the stolen information. The emails may have the following characteristics:

Message body:
The message body contains some of the following information:
  • Email User name
  • Email Password
  • POP3 server name for The BAT!
  • POP3 server name for Outlook
  • POP3 server name for Outlook Express
  • The contents of the clipboard
  • The IP address of the compromised computer

What are the risks?
With financial and sensitive information at stake, there is no minimal risk with Infostealer.Bancos. Identity theft is the highest risk posed by information stealing Trojans and is a risk considered to be personally damaging to a user. Theft of login credentials for financial services can potentially lead to a large financial loss.

What can I do to minimize the risks?
As a general rule, users should always run up-to-date antivirus software with real-time protection such as Norton Antivirus, Norton Internet Security, Norton 360 or Symantec Endpoint Protection. In addition, a firewall -- or better still, an Intrusion Prevention System (IPS) -- will help to block download activities initiated by these types of malicious programs. Program controls such as those found in Symantec Endpoint Protection can also help to prevent programs such as these from executing in the first place.

Emails that spread Trojan horse programs can often appear to originate from people the user knows. Do not open or execute unexpected message attachments. Be particularly wary of emails informing that an online account has expired or requires confirmation of details. These are typical ploys used by criminals to trick users into revealing their details. If in doubt contact the institutions directly to verify the validity of any requests that may be received.

How can I find out more?
Advanced users can submit a sample to Threat Expert to obtain a detailed report of the system and file system changes caused by a threat.
Writeup By: Angela Thigpen
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube