Banbra.GUC carries out the following actions:
- It reaches the computer with the following icon, passing itself off as a photo or a video, though it is actually an executable file:
- When this file is run, the Internet Explorer browser is opened showing a Youtube video of a news channel about the rescue of the Chilean miners trapped in a mine several days ago.
- The following images belong to the video displayed by the Trojan:
- However, this is nothing but a distraction maneuver.
- And a copy of Banbra.GUC will be installed in the computer.
- When the computer is restarted, the copy of the Trojan saved in the computer is run and it connects to an FTP server from which it downloads several executable files, which contain websites that imitate several Brazilian banks and other web services, like Hotmail and the social network Orkut.
- Once downloaded, Banbra.GUC monitors the network traffic until users type in the address bar any of the affected websites.
- When users try to access any of these websites, the Trojan will close the browser and will run the corresponding executable file that imitates such website.
- This file simulates being the browser window which users meant to access but in which any of the links and sections will not work, except for the sections belonging to forms.
- The following image belongs to the fake website of one of the affected banks, in which users could only fill in the information of the red square:
- The purpose is none other than to steal banking information, passwords, email addresses, etc.
- Once users fill in the corresponding fields, the fake website will be closed and the original will be opened, so that users do not suspect.
- All the gathered information is stored in the computer in some files, which are then sent via email to its creator.
Banbra.GUC creates a file called ST45ST.EXE in the Windows system directory. This file is copy of the Trojan.
Banbra.GUC downloads several files from an FTP directory and it stores them in the Windows system directory. These files simulate websites belonging to banks or other web services, and store passwords:
- ADDE.EXE, simulates websites of Banco do Brasil.
- FALL.EXE, simulates websites of Banco Itáu.
- SELL.EXE, simulates websites of Bradesco.
- SUFF.EXE, simulates websites of Banco Santander de Brasil.
- SUGG.EXE, simulates the login website of Hotmail.
The following image belongs to the icons of the executable files downloaded by Banbra.GUC:
Each of these files create a file in the folder inf of the Windows directory where it stores the data it has obtained from the users.
For example, the file SUGG.EXE creates the file CDAF4H9O3.BSP with the following content:
msn: firstname.lastname@example.org, enterpasswordexample
Banbra.GUC creates the following entry in the Windows Registry:
Office_app = %sysdir%\st45st.exe
where %sysdir% is the Windows system directory.
By creating this entry, Banbra.GUC ensures that it is run whenever Windows is started.
Means of transmission
Banbra.GUC is distributed via email messages related to the news about the tragedy of the miners trapped in a Chilean mine.
Banbra.GUC is written in the programming language Visual Basic v5. This Trojan is 23,040 bytes in size and is compressed with PECompact.
Research carried out by Aitor Crespo.