Full description

Virus:	TR/Dldr.Delf.tp.1.A
Date discovered:	15/09/2005
Type:	Trojan
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	385.536 Bytes
MD5 checksum:	d905b68eea607dfd2fdc6bc21278abfd
VDF version:	6.31.1.188

General Aliases:
   • Mcafee: PWS-Banker.gen.i
   • Kaspersky: Trojan-Spy.Win32.Banker.acb

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Uses its own Email engine
   • Records keystrokes
   • Registry modification
   • Steals information

Files It deletes the following files:
   • %temporary internet files%\*.*
   • %cookies%\*.*

The following files are created:

– Non malicious files:
   • %WINDIR%\Filespro\Tales\Local\barra2-PROGRESS.bmp;
      %WINDIR%\Filespro\Tales\Local\barra_brad.bmp;
      %WINDIR%\Filespro\Tales\Local\barra_progress.bmp;
      %WINDIR%\Filespro\Tales\Local\bt_confirma.bmp;
      %WINDIR%\Filespro\Tales\Local\bt_retornaCX.bmp;
      %WINDIR%\Filespro\Tales\Local\cadeado.bmp;
      %WINDIR%\Filespro\Tales\Local\campo_CX.bmp;
      %WINDIR%\Filespro\Tales\Local\caps.bmp;
      %WINDIR%\Filespro\Tales\Local\err_bb.bmp;
      %WINDIR%\Filespro\Tales\Local\logoPF.bmp;
      %WINDIR%\Filespro\Tales\Local\logo_BB.bmp;
      %WINDIR%\Filespro\Tales\Local\senha_AMARELA.bmp;
      %WINDIR%\Filespro\Tales\Local\senha_GER.bmp;
      %WINDIR%\Filespro\Tales\Local\teclado_CX.bmp;
      %WINDIR%\Filespro\Tales\Local\tela2_BB.bmp;
      %WINDIR%\Filespro\Tales\Local\tela_Bradesco_senha.bmp;
      %WINDIR%\Filespro\Tales\Local\tela_brad_sencartao.bmp;
      %WINDIR%\Filespro\Tales\Local\tela_caixa_assinatura.bmp;
      %WINDIR%\Filespro\Tales\Local\topo2.bmp;
      %WINDIR%\Filespro\Tales\Local\TV_PJ.bmp; %WINDIR%\winnavps\bb\1234.jar;
      %WINDIR%\winnavps\bb\banner012.jpg; %WINDIR%\winnavps\bb\banner03.gif;
      %WINDIR%\winnavps\bb\banner13.gif; %WINDIR%\winnavps\bb\barra_ger.jpg;
      %WINDIR%\winnavps\bb\barsep.gif; %WINDIR%\winnavps\bb\certificacao.gif;
      %WINDIR%\winnavps\bb\cópia de gerenciador.html;
      %WINDIR%\winnavps\bb\do.gif; %WINDIR%\winnavps\bb\erro_bb.html;
      %WINDIR%\winnavps\bb\erro_gerenciador.html;
      %WINDIR%\winnavps\bb\gerenciador.html;
      %WINDIR%\winnavps\bb\gerenciador2.html; %WINDIR%\winnavps\bb\imagem01.gif;
      %WINDIR%\winnavps\bb\imagem02.gif; %WINDIR%\winnavps\bb\imagem06.gif;
      %WINDIR%\winnavps\bb\imagem07.gif; %WINDIR%\winnavps\bb\imagem10.gif;
      %WINDIR%\winnavps\bb\imagem11.gif; %WINDIR%\winnavps\bb\imagem19.gif;
      %WINDIR%\winnavps\bb\imagem20.gif; %WINDIR%\winnavps\bb\imagem21.gif;
      %WINDIR%\winnavps\bb\imgentra.gif; %WINDIR%\winnavps\bb\imglimpa.gif;
      %WINDIR%\winnavps\bb\inicio.gif; %WINDIR%\winnavps\bb\lbg.gif;
      %WINDIR%\winnavps\bb\linha.gif; %WINDIR%\winnavps\bb\msg_1.gif;
      %WINDIR%\winnavps\bb\principal.html; %WINDIR%\winnavps\bb\prod3.gif;
      %WINDIR%\winnavps\bb\pt.gif; %WINDIR%\winnavps\bb\pt10.gif;
      %WINDIR%\winnavps\bb\pt11.gif; %WINDIR%\winnavps\bb\pt12.gif;
      %WINDIR%\winnavps\bb\pt13.gif; %WINDIR%\winnavps\bb\ptc1.gif;
      %WINDIR%\winnavps\bb\ptc2.gif; %WINDIR%\winnavps\bb\ptc3.gif;
      %WINDIR%\winnavps\bb\ptc4.gif; %WINDIR%\winnavps\bb\ptt.gif;
      %WINDIR%\winnavps\bb\rdc.gif; %WINDIR%\winnavps\bb\rdl.gif;
      %WINDIR%\winnavps\bb\sua.jpg; %WINDIR%\winnavps\bb\tcvirtu.gif;
      %WINDIR%\winnavps\bb\tracoh.gif; %WINDIR%\winnavps\bb\tracoh2.gif;
      %WINDIR%\winnavps\bb\tracoh_1.gif; %WINDIR%\winnavps\bb\tracoh_1_2.gif;
      %WINDIR%\winnavps\bb\tracoh_1_3.gif; %WINDIR%\winnavps\bb\tracov.gif;
      %WINDIR%\winnavps\bb\tracov2.gif; %WINDIR%\winnavps\bb\tracov3.gif;
      %WINDIR%\winnavps\bb\tracov_1.gif; %WINDIR%\winnavps\bb\tracov_1_2.gif;
      %malware execution directory%\ibb011.cfg; %malware execution
      directory%\tsuname2.txt; %malware execution
      directory%\brad11.cfg; %malware execution
      directory%\tsuname4.txt

It tries to download some files:

– The location is the following:
   • http://**********.vilabol.uol.com.br/barra2-PROGRESS.html
It is saved on the local hard drive under: %WINDIR%\Filespro\Tales\Local\barra2-PROGRESS.zip

– The location is the following:
   • http://**********.vilabol.uol.com.br/barra_brad.html
It is saved on the local hard drive under: %WINDIR%\Filespro\Tales\Local\barra_brad.zip

– The location is the following:
   • http://**********.vilabol.uol.com.br/barra_progress.html
It is saved on the local hard drive under: %WINDIR%\Filespro\Tales\Local\barra_progress.zip

– The location is the following:
   • http://**********.vilabol.uol.com.br/bt_confirma.html
It is saved on the local hard drive under: %WINDIR%\Filespro\Tales\Local\bt_confirma.zip

– The location is the following:
   • http://**********.vilabol.uol.com.br/bt_retornaCX.html
It is saved on the local hard drive under: %WINDIR%\Filespro\Tales\Local\bt_retornaCX.zip

– The location is the following:
   • http://**********.vilabol.uol.com.br/cadeado.html
It is saved on the local hard drive under: %WINDIR%\Filespro\Tales\Local\cadeado.zip

– The location is the following:
   • http://**********.vilabol.uol.com.br/campo_CX.html
It is saved on the local hard drive under: %WINDIR%\Filespro\Tales\Local\campo_CX.zip

– The location is the following:
   • http://**********.vilabol.uol.com.br/caps.html
It is saved on the local hard drive under: %WINDIR%\Filespro\Tales\Local\caps.zip

– The location is the following:
   • http://**********.vilabol.uol.com.br/err_bb.html
It is saved on the local hard drive under: %WINDIR%\Filespro\Tales\Local\err_bb.zip

– The location is the following:
   • http://**********.vilabol.uol.com.br/logoPF.html
It is saved on the local hard drive under: %WINDIR%\Filespro\Tales\Local\logoPF.zip

– The location is the following:
   • http://**********.vilabol.uol.com.br/logo_BB.html
It is saved on the local hard drive under: %WINDIR%\Filespro\Tales\Local\logo_BB.zip

– The location is the following:
   • http://**********.vilabol.uol.com.br/senha_AMARELA.html
It is saved on the local hard drive under: %WINDIR%\Filespro\Tales\Local\senha_AMARELA.zip

– The location is the following:
   • http://**********.vilabol.uol.com.br/senha_GER.html
It is saved on the local hard drive under: %WINDIR%\Filespro\Tales\Local\senha_GER.zip

– The location is the following:
   • http://**********.vilabol.uol.com.br/teclado_CX.html
It is saved on the local hard drive under: %WINDIR%\Filespro\Tales\Local\teclado_CX.zip

– The location is the following:
   • http://**********.vilabol.uol.com.br/tela2_BB.html
It is saved on the local hard drive under: %WINDIR%\Filespro\Tales\Local\tela2_BB.zip

– The location is the following:
   • http://**********.vilabol.uol.com.br/tela_Bradesco_senha.html
It is saved on the local hard drive under: %WINDIR%\Filespro\Tales\Local\tela_Bradesco_senha.zip

– The location is the following:
   • http://**********.vilabol.uol.com.br/tela_brad_sencartao.html
It is saved on the local hard drive under: %WINDIR%\Filespro\Tales\Local\tela_brad_sencartao.zip

– The location is the following:
   • http://**********.vilabol.uol.com.br/tela_caixa_assinatura.html
It is saved on the local hard drive under: %WINDIR%\Filespro\Tales\Local\tela_caixa_assinatura.zip

– The location is the following:
   • http://**********.vilabol.uol.com.br/topo2.html
It is saved on the local hard drive under: %WINDIR%\Filespro\Tales\Local\topo2.zip

– The location is the following:
   • http://**********.vilabol.uol.com.br/TV_PJ.html
It is saved on the local hard drive under: %WINDIR%\Filespro\Tales\Local\TV_PJ.zip

– The location is the following:
   • http://**********.vilabol.uol.com.br/qqq.html
It is saved on the local hard drive under: %WINDIR%\winnavps\bbb.bck

Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "irwftp"="%SYSDIR%\swshost.exe"

Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:

Email design:

From: "%computer name%" <%computer name%edilene.bastos@isbt.com.br>
To: edilene.bastos@isbt.com.br
Subject: Confirmei-ROYALTIES_BLACK
Body:
   • %current date% - %current hour%
      %computer name%

From: "%computer name%" <%computer name%astra22gsi@isbt.com.br>
To: astra22gsi@isbt.com.br
Subject: Confirmei-ROYALTIES_BLACK
Body:
   • %current date% - %current hour%
      %computer name%

From: "%computer name%" <%computer name%edilene.bastos@isbt.com.br>
To: edilene.bastos@isbt.com.br
Subject: Skol_p-ROYALTIES_BLACK
Body:
   • %current date% - %current hour%
      %computer name%
Attachment:
   • tsuname4.txt

From: "%computer name%" <%computer name%astra22gsi@isbt.com.br>
To: astra22gsi@isbt.com.br
Subject: Skol_p-ROYALTIES_BLACK
Body:
   • %current date% - %current hour%
      %computer name%
Attachment:
   • tsuname4.txt

From: "%computer name%" <%computer name%edilene.bastos@isbt.com.br>
To: edilene.bastos@isbt.com.br
Subject: Coca-cola-ROYALTIES_BLACK
Body:
   • %current date% - %current hour%
      %computer name%
Attachment:
   • tsuname2.txt

From: "%computer name%" <%computer name%astra22gsi@isbt.com.br>
To: astra22gsi@isbt.com.br
Subject: Coca-cola-ROYALTIES_BLACK
Body:
   • %current date% - %current hour%
      %computer name%
Attachment:
   • tsuname2.txt

The email looks like the following:

Mailing MX Server:
It has the ability to contact the MX server:
• smtp.isbt.com.br

Stealing – A logging routine is started after a website is visited:
   • https://www2.bancobrasil.com.br/aapf/aai/login.pbk

– A logging routine is started after a website is visited, which contains the following substring in its URL:
   • http://www.bradesco.com.br

– It captures:
    • Keystrokes
    • Login information

File details Programming language:
The malware program was written in Delphi.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• ASPack 2.12

Description inserted by Iulia Diaconescu on Friday, September 16, 2005
Description updated by Iulia Diaconescu on Tuesday, September 20, 2005

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools