Virus:BDS/Dumador.et.3.C
Date discovered:03/01/2006
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:17.920 Bytes
MD5 checksum:1225e5e8552e6add50df865ce6f382bb
VDF version:6.33.00.92

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Keylog-Sters
   •  Kaspersky: Trojan-Spy.Win32.Bancos.nw
   •  TrendMicro: TSPY_BANCOS.BRV
   •  F-Secure: W32/Banker.GZW
   •  Sophos: Troj/Bancos-BRV


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a file
   • Registry modification
   • Steals information

 Files The following file is created:

%SYSDIR%\drv32dta\tmp.tmp This file contains collected keystrokes.

 Registry The following registry keys are added:

– [HKCR\TypeLib\{14A5F3E7-B235-4D98-9264-5C67D2657BC4}\2.0]
   • @="newhttpsibdll6screener"

– [HKCR\TypeLib\{14A5F3E7-B235-4D98-9264-5C67D2657BC4}\2.0\0\win32]
   • @="%malware execution directory%\ib6.dll"

– [HKCR\TypeLib\{14A5F3E7-B235-4D98-9264-5C67D2657BC4}\2.0\FLAGS]
   • @="0"

– [HKCR\TypeLib\{14A5F3E7-B235-4D98-9264-5C67D2657BC4}\2.0\HELPDIR]
   • @=" %malware execution directory%"

– [HKCR\Interface\{9B373DCD-AE79-4107-A045-6C5A2E521270}]
   • @="CBrowserHelper"

– [HKCR\Interface\{9B373DCD-AE79-4107-A045-6C5A2E521270}\
   ProxyStubClsid]
   • @="{00020424-0000-0000-C000-000000000046}"

– [HKCR\Interface\{9B373DCD-AE79-4107-A045-6C5A2E521270}\
   ProxyStubClsid32]
   • @="{00020424-0000-0000-C000-000000000046}"

– [HKCR\Interface\{9B373DCD-AE79-4107-A045-6C5A2E521270}\TypeLib]
   • @="{14A5F3E7-B235-4D98-9264-5C67D2657BC4}"
   • "Version"="2.0"

– [HKCR\CLSID\{1E6CE4CD-161B-4847-B8BF-E2EF72299D69}]
   • @="newhttpsibdll6screener.CBrowserHelper"

– [HKCR\CLSID\{1E6CE4CD-161B-4847-B8BF-E2EF72299D69}\
   Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}]
– [HKCR\CLSID\{1E6CE4CD-161B-4847-B8BF-E2EF72299D69}\InprocServer32]
   • @=" %malware execution directory%\ib6.dll"
   • "ThreadingModel"="Apartment"

– [HKCR\CLSID\{1E6CE4CD-161B-4847-B8BF-E2EF72299D69}\ProgID]
   • @="newhttpsibdll6screener.CBrowserHelper"

– [HKCR\CLSID\{1E6CE4CD-161B-4847-B8BF-E2EF72299D69}\Programmable]
– [HKCR\CLSID\{1E6CE4CD-161B-4847-B8BF-E2EF72299D69}\TypeLib]
   • @="{14A5F3E7-B235-4D98-9264-5C67D2657BC4}"

– [HKCR\CLSID\{1E6CE4CD-161B-4847-B8BF-E2EF72299D69}\VERSION]
   • @="2.0"

– [HKCR\newhttpsibdll6screener.CBrowserHelper]
   • @="newhttpsibdll6screener.CBrowserHelper"

– [HKCR\newhttpsibdll6screener.CBrowserHelper\Clsid]
   • @="{1E6CE4CD-161B-4847-B8BF-E2EF72299D69}"

 Stealing – A logging routine is started after a website is visited:
   • https://%any website that contains a login form%
    • Keystrokes
    • Window information
    • Browser window
    • Login information

 File details Programming language:
 The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Daniel Constantin on Wednesday, January 11, 2006
Description updated by Daniel Constantin on Wednesday, January 11, 2006

Back . . . .