Aliases: Win32/Bancos.QAR, W32/Malware, W32.Mailbancos@mm
Variants: Bancos QAR, Mal/Banspy-F, Trojan-Downloader.Win32.Banload.sjg, PWS-Banker

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, Australia, Europe, North and South America
Removal: Easy
Platform: W32
Discovered: 31 Aug 2005
Damage: Medium

Characteristics: This particular malware is considered as a type of downloader Worm which is capable of retrieving a copy of the Infostealer.Bancos and executing it in the compromised machine. The W32.Mailbancos@mm will harvest email addresses from the infected computer systems and targets them as potentially recipients of the Worm's codes. It has a built-in functionality of spreading across poorly protected network shares to infect other vulnerable computer systems and network environments.

More details about W32.Mailbancos@mm

The W32.Mailbancos@mm will create a new file using the TMP file extension and place it in the same directory location where the original Worm is stored. It will create a new key value in the Windows Registry which point to the specific location of the Worm in the local hard drive. The W32.Mailbancos@mm will generate a corresponding key value that will allow it to load automatically at every reboot or startup instance of the infected computer system. It proceeds by attempting to connect to a predetermined website to download malicious files. The downloaded file will be executed by the W32.Mailbancos@mm into the local hard drive and stored in the directory folder of the operating system. The contents of the Windows Address Book will be harvested.

The W32.Mailbancos@mm will send an email message to the remote attacker which contains information about the infected computer system. It will also send email messages to all the harvested email addresses from the Windows Address Book. The W32.Mailbancos@mm normally uses the Portuguese language in the spiked email message. The message body is normally in HTML format and contains a link to a malicious website possibly controlled by the malicious author. The W32.Mailbancos@mm will be downloaded to the vulnerable machine if the recipient clicks on the link in the message body.