Effects
Bancos.FC carries out the following actions:
It goes memory
resident and waits until an Internet connection is established using the
Dial-up and Network Access.
Then, if the user types an URL that contains any of certain
text strings belonging to banking entities,
Bancos.FC logs the URL accessed and the data entered, such as account number, password, PIN, etc. Those text strings are:
abbeyinternational.com, anoffshore.com, arquired.es, aurora.es, bancaja.es, bancaonline.es, bancoandalucia.es, bancoasturias.com, bancoatlantico.es, bancodemurcia.es, bancodevalencia.es, bancoetcheverria.es, bancogallego.es, bancogui.es, bancoherrero.com, bancoinversion.es, bancopastor.es, bancopopular.es, bancopopular-e.com, bancosantander.es, bancourquijo.es, bancozaragozano.es, bancsabadell.es, banesto.es, banif.es, bankoa.es, bankoanet.com, bankpyme.es, bansalease.com, barclays.es, batlantico.es, bbi.co.im, bbk.es, bbva.es, bbvanet.com, bbvanetoffice.com, bde.es, bes.es, bgnetplus.com, bibm.ad cai.es, caixabank.ad, caixacat.es, caixacatal, unya.es, caixa-enginyers.com, caixagirona.es, caixaguissona.es, caixamanlleu.es, caixamanresa.com, caixapenedes.es, caixasabadell.net, caixaterrassa.es, cajaactiva.es, cajabadajoz.es, cajacaminos.es, cajacampo.es, cajacampo.org, cajacanarias.es, cajacantabria.com, cajacirculo.com, cajacirculo.es, cajadeavila.es, cajadeburgos.es, cajaen.es, cajaespana.es, cajaextremadura.es, caja-granada.es, cajaguadalajara.biz, caja-ingenieros.es, cajalaboral.com, cajalaboral.es, cajamadrid.es, cajamadridempresas.es, cajamar.es, cajamurcia.es, cajanavarra.es, cajarioja.es, cajarural.com, cajasanfernando.es, cajasegovia.es, cajastur.es, cajasur.es, cajavital.es, cam.es, caser.es, casyc.es, ccm.es, cconline.es, ceca.es, ruralcaja.es, citibank.com, citibank.es, clavenet.net, creditandorra.ad, e-credit.ad, elmonte.es, etrade.com, e-pueyo.com, eurocredito.es, fibanc.es, grupobbva.com, gruposantander.es, halifax.es, hispamer.es, homecem.com, ibercaja.es, ibercajadirecto.com, ingdirect.es, ksk-es.de kutxa.es, kutxa.net, lacajadecanarias.es, lloydstsb.es, mortonmanagement.com, oficinadirecta.com, patagon.es, santandercentralhispano.es, solbank.com, unicaja.es univia.es, uno-e.com, ebanka.cz, danskenetbank.dk, bnpnet.bnp.fr, banquedirecte.fr, banquepopulaire.fr, bred.fr, lbmicro.com, caisse-epargne.fr, ccf.fr, ca-centrefrance.com, ca-valdefrance.fr, creditmutuel.fr, finaction.com, videoposte.com, socgen.com, otp.hu, ambro.it, fineco.it, popvi.it, poste.it, cariplo.it, carifirenze.it, crup.it, in-bank.net, creval.it, unicreditbanca.it, banc, caja, bank, etrade.com, lapostefinance.fr, abnamro-france.fr, afub.org, hsbc, citi, socgen.com, arjil-associes.com, banca-popolare-bergamo-cv.fr, cortal.fr, covefi.fr, bidf-bdei.com, banque-de-savoie.com, banq, bdpme.fr, banque-du-louvre.com, eurofin.fr, bfg.fr, banque-hervet.fr, barclays.co.uk, halifax, lloydstsb.co.uk, natwest.co.uk, nationwide.co.uk, bankofscotland.co.uk, mybusinessbank.co.uk, abbeynational.co.uk, barep.com, sanpaolo.fr, robeco.fr, transat.tm.fr, barep.com, bnpparibas-leasegroup.com, cdn.fr, creditfoncier.fr, credit-maritim, e.fr, dexia.com, clf.fr, lcf-rothschild.fr, lazard.com, resist.fr, smc.fr sogip.com u, cb.fr, artigiancassa.it, bcoopimola.it, bam.it, antonveneta.it, carige.it, carime.it, trade, ing, empressa, money, transfer, cash and wire.
The log information is collected and sent to a
server in Internet, including a unique identifier, which
Bancos.FC generates using the volume number of the
C: drive in order to control the number of affected computers and which information has been obtained from each of them.
However, bear in mind that this Trojan only affects users that connect to the Internet using the Dial-up and Network Access. If Bancos.FC is running but the user is not connected to the Internet, or the connection is made via a Local Area Network (LAN) or ADSL modem, some anomalies will be observed while using Internet Explorer.
Infection strategy
Bancos.FC creates the following files in the Windows system directory:
- FTPEX.EXE. This file is a copy of the Trojan.
- FTPEX.DLL. This file is a DLL (Dynamic Link Library).
Bancos.FC creates the following entry in the Windows Registry:
- HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
Shell = explorer.exe %sysdir%\ ftpex.exe
where %sysdir% is the Windows system directory.
By creating this entry, Bancos.FC ensures that it is run whenever Windows is started.
Bancos.FC follows the routine below:
- When the file belonging to the Trojan is run, it creates a copy of itself called FTPEX.EXE in the Windows system directory, and drops the Dynamic Link Library FTPEX.DLL.
- Once the main component of the Trojan is running, the DLL is loaded with each new process that is run in the computer.
- When the DLL gets injected in the process IEXPLORE.EXE (Internet Explorer), it redirects the calls to the function HttpSendRequest to its own code, and checks if the URL requested contains any of the text strings specified above.
- If so, both the URL and the data entered are coded and sent to the server skconfig.com.
- For each affected computer, Bancos.FC creates a unique identifier, which is generated using the volume number of the C: drive and is also sent to that server, in order to control the number of affected systems and the information obtained from each of them.
Means of transmission
Bancos.FC does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, e-mail messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.
Further Details
Bancos.FC is written in the programming language Delphi.