You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Banbra.GRW

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Banbra.GRW is a banker Trojan designed to steal users' banking data belonging to certain Brazilian banking entity.

Banbra.GRW carries out the following actions:

  • When it is run and is installed on the computer, it sends an email message to its creator with information about the infected computer. The message it sends is like the following:

    Email sent by Banbra.GRW
  • When users access the website of their banking entity, the Trojan intercepts the request and displays a page with the error "The website cannot be displayed" during few moments. It is possible that users do not see this error website as it is only diplayed a few seconds:

    Error website displayed by Banbra.GRW
  • The page that is then displayed is identical to the real one, even the address displayed in the address bar is the same. However, there are certain links and pull-down menus that do not work.
  • What the Trojan does is to redirect a previously selected website to its own browser, where it displays a website created with malicious purposes.
  • If users enter their banking data in that website, they will fall into the hands of the creator of the Trojan.
  • Users who have the Portuguese version of the browser will not be able to notice that there has been a change in the browser, as apparently everything is like always. However, users whose browser is in a different language will see that the language of the browser has changed.
  • The following image seems to be the website of one of the affected banking entities. However, it is the website displayed by the Trojan:

    Website of the banking entity displayed by Banbra.GRW
  • In the following image, you can see that the language of the browser is Portuguese, no matter the default language of the browser is:

    Browser in Portuguese

Infection strategy 

Banbra.GRW creates the following files in the Windows system directory:

  • ARCHIVO.EXE, which is a copy of the Trojan.
  • DKWORK.INI

 

Banbra.GRW creates the following entries en el Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Archivo.exe = %sysdir%\Archivo.exe
    where %sysdir% is the Windows system directory.
    By creating this entry, Banbra.GRW ensures that it is run whenever Windows is started.
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
    Embedded Web Browser from: http://bs    <blocked>sa.com/
    By creating this entry, it can make a previously selected website be redirected to its own browser.

Means of transmission 

Banbra.GRW reaches the computer in a file with the Internet Explorer icon in order to deceive users:

Icon with which Banbra.GRW reaches the computer

However, Banbra.GRW does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, removable drives likes pendrives, CD-ROMs, email messages with attached files, Internet downloads, FTPIRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

Banbra.GRW is 977,408 bytes in size.