Virus:TR/Spy.Banker.Germ.A
Date discovered:03/03/2006
Type:Trojan
In the wild:No
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:25.600 Bytes
MD5 checksum:da3a64ae559171135e0c1a77f43fef07
VDF version:6.33.01.60

 General Method of propagation:
   • No own spreading routine

It was previously detected as:
   •  TR/Dldr.Orderjack.A


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a file
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %HOME%\order_%four-digit random character string%.exe



It deletes the initially executed copy of itself.



It deletes the following file:
   • %temporary internet files%\%random character string%\*.*

– A file that is for temporary use and it might be deleted afterwards:
   • %HOME%\order_tempopt.bin

– c:\order_http___%visited URL%__%several random digits%.txt This is a non malicious text file with the following content:
   • %stolen information%




It tries to download a file:

– The locations are the following:
   • http://85.249.22.240/cgi-bin/**********?user_id=%several random digits%&version_id=111100034366&passphrase=fkjvhsdvlksdhvlsd
   • http://back3133711.com/cgi-bin/**********?user_id=%several random digits%&version_id=111100034366&passphrase=fkjvhsdvlksdhvlsd
It is saved on the local hard drive under: %HOME%\order_opt3.bin

 Registry The following registry key is added in order to run the process after reboot:

– HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "order_Shell"="%HOME%\order_vs%two-digit random character string%.exe"



The following registry key is added:

– HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion
   • "order_id"="%several random digits%"
   • "order_version"="111100034366"

 Backdoor Contact server:
All of the following:
   • http://85.249.22.240/cgi-bin/**********
   • http://85.249.22.240/cgi-bin/**********

As a result it may send some information. This is done via the HTTP POST method using a CGI script.


Sends information about:
    • Current malware status
    • Collected information described in stealing section

 Stealing It tries to steal the following information:

– A logging routine is started after the following website is visited, which contains one of the following substrings in the URL:
   • %any website that contains a login form%
   • bankingportal.
   • banking.gad.de/banking/
   • internetbanking.gad.de/banking/
   • homebanking-thueringen.de
   • banking.postbank.de/app/welcome.do
   • banking.cc-bank.de
   • cdg.citibank.de
   • dresdner-privat.de
   • deutsche-bank.de
   • postbank.de/app/login.prep.do

– It captures:
    • Window information
    • Internet traffic
    • Login information

 Injection – It injects itself into a process.

    Process name:
   • explorer.exe


 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:
– Its own files
– Its own registry keys

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Ivanes on Friday, March 3, 2006
Description updated by Andrei Ivanes on Tuesday, March 7, 2006

Back . . . .