Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/VB.LJ.1
Date discovered:13/12/2012
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:2.157.056 Bytes
MD5 checksum:6488D43031BE74D914D5E2C675232819
VDF version:7.11.53.216

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: PWSteal.Bancos.gen
   •  Mcafee: PWS-Banker.gen.b
   •  Kaspersky: Trojan-Spy.Win32.Banker.ju
   •  Sophos: Troj/Bancb-Fam
   •  VirusBuster: TrojanSpy.Banker.ADV!AU


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %WINDIR%\svchost.exe

 Registry The following registry key is added in order to run the process after reboot:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "svchosts"="%WINDIR%\svchosts.exe"

 Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:



The email may look like one of the following:



 Stealing It tries to steal the following information:

A logging routine is started after one of the following websites are visited:
   • www14.bancobrasil.com.br
   • empresarial.unibanco.com.br/index.asp
   • ibpf.unibanco.com.br/index.asp
   • www.santander.com.br
   • www.realsecureweb.com.br
   • www.bec.com.br
   • banknet.brb.com.br/brbBanknet
   • wwws.nossacaixa.com.br/bemvindo.asp
   • nel.bnb.gov.br
   • bradesco.com.br
   • www.banespa.com.br
   • www2.rural.com.br/RuralIBank/principal.jsp

 It captures:
     Login information

Form windows are displayed as shown in the pictures below:



 Miscellaneous Mutex:
It creates the following Mutex:
   • STFK MutexXx

Description inserted by Andrei Gherman on Monday, August 1, 2005
Description updated by Andrei Gherman on Friday, August 19, 2005

Back . . . .