Installation
Win32/Banker can be downloaded into your PC by other malware, often detected as Win32/Banload variants. Banker files can have file extensions of JPEG, SCR, GIF, CPL, VXD, PIF, or MP3.
Most Win32/Banker variants target customers of Brazilian banks; however some variants also target banks in Mexico, Argentina, Spain, France, United Kingdom, and Ireland, to name a few.
Many variants of Win32/Banker drop copies of themselves along with configuration files to different folders on the infected PC, such as the default Windows folder, the default Windows system folder, and the default startup folder. Its main executable might contain the string cartao, which is the Portuguese word for card.
Win32/Banker also often configures itself to run automatically each time Windows starts by editing the system registry, or by installing itself as a Browser Helper Object (BHO) with its own unique GUID.
Payload
Disables security software
Some variants try to disable security software like antivirus and firewall programs.
Steals banking information
Many Win32/Banker variants check what browsers are open and what websites the browsers are open to. Specifically, it checks if the webpage title or URL pertain to banking websites. Many variants log keystrokes to record whatever you enter to log onto the website. To be more effective at stealing your banking information, Win32/Banker might display a webpage similar in appearance to your actual banking website, in which case the credentials you enter are directly sent to a hacker. It can also take screenshots of your infected PC if you access the bank login page.
Win32/Banker send the stolen information to a hacker in different ways, including sending an email to the attacker, uploading the stolen information to a hacker's FTP site, and sending the information to the hacker via HTTP POST.
Proxy functionality
Some Win32/Banker variants drop a malicious configuration script that can redirect your Internet traffic through a hacker-controlled proxy. It does this by setting the following registry entry:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value : "AutoConfigUrl"
With data: "<path and file name of script>"
Analysis by Marianne Mallen
