Nowadays, the majority of visible and serious difficulties which face the Internet rely upon a huge environment of malicious software and tools. Trojan.Win32.Bancos is one of the current threats that points to a banking Trojan. Being an info stealer waiting for the user to access banking websites, Bancos will spoof pages of the bank website and in this way steal delicate information.
In order to protect your privacy you must be familiar with this danger, so take a look at the characteristics of this Trojan.
| Name of the threat: |
Trojan-Spy.Win32.Bancos |
| File name: | zm.exe |
| Threat type: | Spyware\trojan |
| MD5: | 3c30933e3f4add4864a72db59f45c41c |
| SHA1: | 0cf9766b70a3c86a6c0358bea7dbfe205b563f13 |
| SHA256: | aa519797a0483c1b5caeab84a01ffe47bfc768a2f90f4b75e7e4704364c45abc |
| Operating system: |
Windows |
Table 1. Bancos details
As Bancos is considered to be an internet banking Trojan for the Windows platform, when run this trojan copies itself to \tasklist32.exe. At the same time it uses the following registry entry to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TaskList
\tasklist32.exe
Proceeding further, this registry entry is also used:
HKML\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\
InternetMail\RealTimeScan
OnOff
0
Once executed on the victim’s system, Bancos connects its ‘Command and Control Server’. Then downloads a .txt file.Where the .txt file includes entries for hostnames of different financial and government domains. It is notable that the downloaded copy replaces the default Windows hosts file, so users trying to log on to one of the legitimate domains are going to be redirected to a malicious server hosting phishing copies of these web sites. The malicious server will store all credentials and sensitive data exchanged on these false web sites.
Below, Table3 indicates the aliases Virus Total reported for Trojan/Bancos by the antivirus software products.
| Antivirus Company | Name of the Virus |
| AhnLab-V3 | Win-Trojan/Bancos.420864.C |
| AntiVir |
TR/Crypt.FKM.Gen |
| Authentium |
W32/Bancos.KOM |
| Avast | Win32:Trojan-gen {Other} |
| AVG | PSW.Banker3.AFR |
| BitDefender | Trojan.Generic.5129 |
| CAT-QuickHeal | TrojanSpy.Bancos.zm |
| ClamAV | Trojan.Packed-92 |
| DrWeb | BackDoor.Generic.1470 |
| eSafe |
Win32.Bancos.zm |
| eTrust-Vet |
Win32/VMalum.MZB |
| Ewido |
Logger.Bancos.zm |
| F-Prot |
W32/Bancos.KOM |
| F-Secure |
Trojan-Banker.Win32.Bancos.zm |
| Fortinet |
Spy/Bancos |
| GData |
Trojan.Generic.5129 |
| Ikarus |
Trojan-Spy.Win32.Banker.anv |
| K7AntiVirus |
Trojan-Spy.Win32.Bancos.zm |
| Kaspersky |
Trojan-Banker.Win32.Bancos.zm |
| McAfee |
PWS-Banker |
| Microsoft |
TrojanSpy:Win32/Bancos |
| NOD32 |
a variant of Win32/Spy.Bancos.ZE |
| Norman |
W32/Bancos.NAD |
| Panda |
Trj/Bancos.SL |
| PCTools |
Trojan-Spy.Bancos!sd5 |
| Prevx1 |
Malicious Software |
| Rising |
Trojan.Spy.Bancos.ssm |
| SecureWeb-Gateway | Trojan.Crypt.FKM.Gen |
| Sophos |
Mal/Behav-210 |
| Sunbelt | -No Detection- |
| TheHacker |
Trojan/Spy.Bancos.zm |
| TrendMicro |
-No Detection- |
| VBA32 |
BackDoor.Generic.1470 |
| ViRobot |
Trojan.Win32.Bancos.420864 |
| VirusBuster |
TrojanSpy.Banker.NAQ |
Table 2. Trojan Bancos, Virus Total Diagnostic Report
In addition, Trojan-Spy.Win32.Bancos.zm can be recognized as:
%CommonPrograms%\startup\kss.exe
%CommonPrograms%\startup\win32sm.exe
%CommonPrograms%\startup\winnt.exe
%CommonPrograms%\startup\winntx86.exe
%CommonPrograms%\startup\winsys32.exe
%System%\diskdrive.exe
%System%\soundman.exe
%System%\ssmaze.scr
%Windir%\config\svchost.exe
%Windir%\system\plugin.exe
%Windir%\win32sm.exe
%Windir%\winnt.exe
%Windir%\winntx86.exe
%Windir%\winsys32.exe
The following screenshot of Process Explorer, a tool used to track down computer problems, shows the dangerous process, tasklist32.exe. And it can be considered as evidence of the presence of Bancos on your machine.
Picture 1. Process Explorer indicates trojan Bancos by the process, tasklist32.exe
It is likely that malware attempts to poison computers by exploiting software vulnerabilities. Referring to this fact bancos aims to steal financial data from a victim’s computer. Unfortunately, the malicious ‘hosts’ file is removed from a remote server leaving the possibility to create new phishing web sites at any time, altogether allowing Bancos to update the victim’s hosts file.
Resources:
Introducing Bancos
Virus Total report
What is malware?
Trojan details
Mar 21, 2010 at 15:49:47
I strictly recommend not to hold back until you earn big sum of cash to buy all you need! You can just take the <a href="http://lowest-rate-loans.com/topics/mor tgage-loans">mortgage loans</a> or just bank loan and feel free