Virus:TR/Dldr.Banker.OW.2
Date discovered:14/07/2005
Type:Trojan
Subtype:Downloader
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:1.384.960 Bytes
MD5 checksum:341acf27fee0261ffd0d722eb4bfbd46
VDF version:6.31.0.202

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: PWS-Banker.gen.f
   •  Kaspersky: Trojan-Spy.Win32.Banbra.cc
   •  VirusBuster: TrojanSpy.Banbra.CI!AU


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP


Side effects:
   • Records keystrokes
   • Steals information

 Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:


From:
The sender of the email is the following:
   • cimino2005@**********.com.br

 Stealing It tries to steal the following information:

– A logging routine is started after one of the following websites are visited:
   • http://www.bancodobrasil.com.br
   • http://www.bancobrasil.com.br
   • http://www.bb.com.br
   • http://www.bradesco.com.br
   • http://www.caixa.gov.br
   • http://www.caixaeconomica.com.br
   • Http://www.caixaeconomicafederal.com.br
   • http://www.caixaeconomicafederal.gov.br
   • http://www.cef.com.br
   • http://www.cef.gov.br
   • http://www.itau.com.br
   • http://www.serasa.com.br
   • http://www.unibanco.com.br
   • htps://internetcaixa.caixa.gov.br

– It captures:
    • Login information

–Form windows are displayed as shown in the pictures below:





 File details Programming language:
 The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Sergiu Oprea on Friday, August 12, 2005
Description updated by Sergiu Oprea on Tuesday, August 30, 2005

Back . . . .