Welcome to virus encyclopedia of panda security
It is designed to steal users' confidential information related to certain Brazilian banking entities and other web services, like Hotmail. It is distributed via email messages using the news about the tragedy of the Chilean miners.
|First detected on:||Sept. 1, 2010|
|Detection updated on:||Sept. 6, 2010|
Banbra.GUC is a Trojan designed to steal users' confidential information, like banking details and passwords belonging to certain banking entities and other web services, like Hotmail.
In order to do so, when users access any of the affected websites, the Trojan closes the browser and opens another which displays the original one so that users enter their access data.
The harvested information is stored in a file and then sent via email to its creator.
Banbra.GUC is distributed via email in messages related to the news about the tragedy of the miners trapped in a mine in Chile.
- It reaches the computer with the following icon, passing itself off as a photo or a video, though it is actually an executable file:
- When this file is run, the Internet Explorer browser is opened showing a Youtube video of a news channel about the rescue of the Chilean miners trapped in a mine several days ago.
- The following images belong to the video displayed by the Trojan:
- However, this is nothing but a distraction maneuver.
- And a copy of Banbra.GUC will be installed in the computer.
- When the computer is restarted, the copy of the Trojan saved in the computer is run and it connects to an FTP server from which it downloads several executable files, which contain websites that imitate several Brazilian banks and other web services, like Hotmail and the social network Orkut.
- Once downloaded, Banbra.GUC monitors the network traffic until users type in the address bar any of the affected websites.
- When users try to access any of these websites, the Trojan will close the browser and will run the corresponding executable file that imitates such website.
- This file simulates being the browser window which users meant to access but in which any of the links and sections will not work, except for the sections belonging to forms.
- The following image belongs to the fake website of one of the affected banks, in which users could only fill in the information of the red square:
- The purpose is none other than to steal banking information, passwords, email addresses, etc.
- Once users fill in the corresponding fields, the fake website will be closed and the original will be opened, so that users do not suspect.
- All the gathered information is stored in the computer in some files, which are then sent via email to its creator.
Banbra.GUC creates a file called ST45ST.EXE in the Windows system directory. This file is copy of the Trojan.
Banbra.GUC downloads several files from an FTP directory and it stores them in the Windows system directory. These files simulate websites belonging to banks or other web services, and store passwords:
- ADDE.EXE, simulates websites of Banco do Brasil.
- FALL.EXE, simulates websites of Banco Itáu.
- SELL.EXE, simulates websites of Bradesco.
- SUFF.EXE, simulates websites of Banco Santander de Brasil.
- SUGG.EXE, simulates the login website of Hotmail.
The following image belongs to the icons of the executable files downloaded by Banbra.GUC:
Each of these files create a file in the folder inf of the Windows directory where it stores the data it has obtained from the users.
For example, the file SUGG.EXE creates the file CDAF4H9O3.BSP with the following content:
msn: firstname.lastname@example.org, enterpasswordexample
Office_app = %sysdir%\st45st.exe
where %sysdir% is the Windows system directory.
By creating this entry, Banbra.GUC ensures that it is run whenever Windows is started.
Research carried out by Aitor Crespo.
Is my computer infected by Banbra.GUC?
- Carry out a full scan of your computer using Panda Antivirus, after checking that it is updated. If it isn't and you are a registered Panda Security client, update it by clicking here.
- Check the computer with Panda ActiveScan, Panda Security's free, online scanner, which will quickly detect any possible viruses.
If Panda Antivirus or Panda ActiveScan detects Banbra.GUC during the scan, it will automatically offer you the option of deleting it. Do this by following the program's instructions.
- After deleting this malware by following the specified steps, if your computer runs Windows Millenium, click here to find out how to eliminate it from the _Restore folder.
- After deleting this malware by following the specified steps, if your computer runs Windows XP, click here to find out how to eliminate it from the _Restore folder.
- Install a good antivirus in your computer. Click here to get the Panda antivirus solution that best suits your needs.
- Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
- Keep your permanent antivirus protection enabled at all times.
For more detailed information about how to protect your computer against viruses and other threats, click here.