Banker.MBX
Threat LevelDamageDistribution

Effects 

Banker.MBX passes itself off as the update of a program of a certain Brazilian banking entity which requires users to enter certain data regarding their banking account.

It follows the routine below:

• It reaches the computer in a phishing message that seems to have been sent by certain Brazilian banking entity. The message informs users that for security reasons they have to update the version of the online banking program before a certain date or if not the access to their account will be blocked.
• The email message is like the following:
  
  

• This message contains a link from which the update of the program is downloaded. If users click the link, they will download a file with an icon with the name of the affected bank:
  
  

• When it is run, a window is displayed recommending users to install the update of a program so that they can continue making Internet banking movements:
  
  
• The following screen shows a window where the users' banking data are required, such as username and login password:
  
  
• Once the information is entered, the program connects to a certain website to which it will send the data entered by users.
  The website to which the data is sent is:
  http://www.irani<blocked>hic.com/greybox/errorstk.php

Means of transmission 

Banker.MBX reaches the computer in an email message which seems to have been sent by a certain Brazilian banking entity.

However, Banker.MBX does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, removable drives likes pendrives, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

Banker.MBX is 373,248 bytes in size and is compressed with UPX.