Encyclopedia

Bancos.TZ

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Bancos.TZ carries out the following actions:

  • When it is run, it displays an Internet Explorer window advertising Vodafone mobile phones:

  • It monitors the Internet traffic and when the user visits the website belonging to certain banking entities, the Trojan is activated and logs the information entered in the website.
  • It stores the gathered information in a textfile which is then sent to the following email address:
    ptx<blocked>09.2@gmail.com
  • It obtains the email addresses of the affected user's Outlook and MSN Messenger contacts.

Infection strategy 

Bancos.TZ creates the following files:

  • LSASS.EXE, in the Windows directory. This file is a copy of the Trojan.
  • PHANTOM.INI, in the Windows directory. In this file the path of the WAB file is stored. This file contains the user's Outlook contact list.
  • M.TXT, in the Windows system directory. It is a textfile where the stolen information is stored.

 

Bancos.TZ creates the following entry in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    lsass = %windir%\lsass.exe
    where %windir% is the Windows directory.
    By creating this entry, Bancos.TZ ensures that it is run whenever Windows is started.

Means of transmission 

Bancos.TZ is designed to send email messages to all the contacts of the affected user in order to distribute a copy of the Trojan.

Further Details  

Bancos.TZ is written in the programming language Delphi v5. This Trojan is 425,984 bytes in size.

Last updated:  20/03/2009 

Virus News

3/10/09.-More than 10 Million Worldwide Were Actively Exposed to Identity Theft in 2008

3/5/09.-Cyber-crooks manipulate Internet searches to sell fake antivirus products

3/2/09.-VideoPlay adware infections grew 400% in February through malicious use of Web 2.0 pages

[+ Noticias]