You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Bancos.TZ

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Bancos.TZ carries out the following actions:

  • When it is run, it displays an Internet Explorer window advertising Vodafone mobile phones:

  • It monitors the Internet traffic and when the user visits the website belonging to certain banking entities, the Trojan is activated and logs the information entered in the website.
  • It stores the gathered information in a textfile which is then sent to the following email address:
    ptx<blocked>09.2@gmail.com
  • It obtains the email addresses of the affected user's Outlook and MSN Messenger contacts.

Infection strategy 

Bancos.TZ creates the following files:

  • LSASS.EXE, in the Windows directory. This file is a copy of the Trojan.
  • PHANTOM.INI, in the Windows directory. In this file the path of the WAB file is stored. This file contains the user's Outlook contact list.
  • M.TXT, in the Windows system directory. It is a textfile where the stolen information is stored.

 

Bancos.TZ creates the following entry in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    lsass = %windir%\lsass.exe
    where %windir% is the Windows directory.
    By creating this entry, Bancos.TZ ensures that it is run whenever Windows is started.

Means of transmission 

Bancos.TZ is designed to send email messages to all the contacts of the affected user in order to distribute a copy of the Trojan.

Further Details  

Bancos.TZ is written in the programming language Delphi v5. This Trojan is 425,984 bytes in size.