x
48h OFFER
If you're already a customer of
our homeusers protection,
renew now with 50% off
RENEW NOW
x
SPECIAL OFFER
If you're already a customer of
our homeusers protection,
renew now with 50% off
RENEW NOW
x
HALLOWEEN OFFER
take advantage of our
terrific discounts
BUY NOW AND GET A 50% OFF
x
CHRISTMAS OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET A 50% OFF
x
SPECIAL OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET A 50% OFF
x
BLACKFRIDAY OFFER
Buy the best antivirus
at the best price
TODAY ONLY UP TO 70% OFF
x
CYBERMONDAY OFFER
Buy the best antivirus
at the best price
(Only for homeusers)
TODAY ONLY UP TO 70% OFF
Active Scan. Scan your PC free
Panda Protection

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Banker.CTD

Threat LevelHigh threatDamageSevereDistributionNot widespread

Effects 

Banker.CTD carries out the following actions:

  • It monitors if the user accesses web pages whose address or title bar contain any of the following text strings:
    AMOR
    Banking
    Bradesco
    http://bradesconetempresa.com.br
    Netbanking
    Santandernet
    Sudameris

    All these websites belong to banking entities.
  • If the user accesses any of them, Banker.CTD logs the keystrokes typed by the user. This way, Banker.CTD obtains confidential information about the user, such as passwords.
  • Periodically, it sends the data to a certain email address.
  • It uses the SMTP server smtps.uol.com.br and a certain account, instead of using its own SMTP engine. It does this so as to avoid the filters that ISPs are applying to outgoing email messages that are originated in certain IP ranges.

Infection strategy 

Banker.CTD creates the following files in the Windows system directory:

  • IEXPLORE.SCR and PPP.EXE, which are copies of the Trojan.
  • IMGRT.TXT and NET2, which are used to store data about Banker.CTD.

 

Banker.CTD creates the following entries in the Windows Registry:

  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    dark = %sysdir%\iexplore.scr
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    dark2 = %sysdir%\ppp.exe

    where %sysdir% is the Windows system directory.
    By creating these entries, Banker.CTD ensures that it is run whenever Windows is started.

Means of transmission 

Banker.CTD does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

Banker.CTD is written in the programming language Delphi. This Trojan is 790,528 bytes in size, and it is compressed with PE_Compact.