To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.
Malware Overview
This Trojan may be downloaded from a certain remote site(s). It may be downloaded unknowingly by a user when visiting malicious Web site(s).
It creates a registry key as part of its installation routine.
It uses the following icon related to
Macromedia Flash Player to trick users into thinking that it is a legitimate file:
Upon execution, this Trojan displays the following fake message box to trick unsuspecting users into thinking that it fails to execute:
When a user clicks on the
OK button, it connects to several Web sites to alert a remote malicious user.
It drops files that are all detected by Trend Micro as TSPY_BANCOS.ABL.
The said dropped files are then executed, then searches for the folder
C:\Arquivos de Programas on the affected system where TROJ_BANKER.PXN is dropped. An error message is then displayed if the said folder is not found. Otherwise, it creates the folder
PLUGIN under the folder
C:\Arquivos de Programas.
It also drops non-malicious files. As a result, routines of the dropped files are exhibited on the affected system.
More...