We want to warn you of a Banker Trojan that is using the news of the miners trapped in Chile to be distributed and infect users. It has been detected as Banbra.GUC.

The malicious file reaches the computer with the following icon:


When this file is run, the Internet Explorer browser is opened showing a Youtube video of a news channel about the rescue of the Chilean miners trapped in a mine several days ago.

The following images belong to the video displayed by the Trojan:


But, all this is nothing but a distraction maneuver.

While we are watching the video, the Trojan is installed in the computer, creates a copy of itself and a Windows Registry entry to be automatically run when the computer is started.

In the following restart, it connects to an FTP Server, from which it downloads several executable files which are saved to the computer.

These files contain false websites which copy the format and content of the original websites belonging to the affected services, like several Brazilian banks, Hotmail and the social network Orkut.

The affected Brazilian banks, among others, are:

Banco do Brasil
Banco Real

Banco Santander Brasil


Caixa Brasil


The main file monitors the network traffic and when it detects that the user types any of the affected websites in the address bar, it coses the file that contains the false website of the affected service.

Then, it closes the Internet Explorer browser and activates the corresponding executable. This file will display a website that imitates the original one, but in which any of the links and sections will not work, except for the sections belonging to forms, in order to steal banking information, passwords, email addresses, etc.

Once we have filled in the corresponding fields, the false website will be closed and the original one will be opened.

All the gathered information will be stored in several files, which will be saved to the computer and will be then sent via email to its creator.

This Trojan can be distributed via email messages or links published in social networks, so you should be very cautious in this type of situations.

If you want to get more information about this Trojan, you can check it out in the malware encyclopedia: