[email protected]

Aliases: Win32/Bancos.QAR, W32/Malware, [email protected]
Variants: Bancos QAR, Mal/Banspy-F, Trojan-Downloader.Win32.Banload.sjg, PWS-Banker

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, Australia, Europe, North and South America
Removal: Easy
Platform: W32
Discovered: 31 Aug 2005
Damage: Medium

Characteristics: This particular malware is considered as a type of downloader Worm which is capable of retrieving a copy of the Infostealer.Bancos and executing it in the compromised machine. The [email protected] will harvest email addresses from the infected computer systems and targets them as potentially recipients of the Worm's codes. It has a built-in functionality of spreading across poorly protected network shares to infect other vulnerable computer systems and network environments.

More details about [email protected]

The [email protected] will create a new file using the TMP file extension and place it in the same directory location where the original Worm is stored. It will create a new key value in the Windows Registry which point to the specific location of the Worm in the local hard drive. The [email protected] will generate a corresponding key value that will allow it to load automatically at every reboot or startup instance of the infected computer system. It proceeds by attempting to connect to a predetermined website to download malicious files. The downloaded file will be executed by the [email protected] into the local hard drive and stored in the directory folder of the operating system. The contents of the Windows Address Book will be harvested.

The [email protected] will send an email message to the remote attacker which contains information about the infected computer system. It will also send email messages to all the harvested email addresses from the Windows Address Book. The [email protected] normally uses the Portuguese language in the spiked email message. The message body is normally in HTML format and contains a link to a malicious website possibly controlled by the malicious author. The [email protected] will be downloaded to the vulnerable machine if the recipient clicks on the link in the message body.