Win32/Bancos.QAR, W32/Malware, [email protected]
Bancos QAR, Mal/Banspy-F, Trojan-Downloader.Win32.Banload.sjg, PWS-Banker
Category: Computer Worm
Active & Spreading
Asia, Australia, Europe, North and South America
31 Aug 2005
This particular malware is considered as a type of downloader Worm which is capable of retrieving a copy of the Infostealer.Bancos and executing it in the compromised machine. The [email protected]
will harvest email addresses from the infected computer systems and targets them as potentially recipients of the Worm's codes. It has a built-in functionality of spreading across poorly protected network shares to infect other vulnerable computer systems and network environments.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
The [email protected]
will create a new file using the TMP file extension and place it in the same directory location where the original Worm is stored. It will create a new key value in the Windows Registry which point to the specific location of the Worm in the local hard drive. The [email protected]
will generate a corresponding key value that will allow it to load automatically at every reboot or startup instance of the infected computer system. It proceeds by attempting to connect to a predetermined website to download malicious files. The downloaded file will be executed by the [email protected]
into the local hard drive and stored in the directory folder of the operating system. The contents of the Windows Address Book will be harvested.
The [email protected]
will send an email message to the remote attacker which contains information about the infected computer system. It will also send email messages to all the harvested email addresses from the Windows Address Book. The [email protected]
normally uses the Portuguese language in the spiked email message. The message body is normally in HTML format and contains a link to a malicious website possibly controlled by the malicious author. The [email protected]
will be downloaded to the vulnerable machine if the recipient clicks on the link in the message body.