Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Spy.Banker.ahy.2471
Date discovered:10/03/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:805.888 Bytes
MD5 checksum:2875e4d9fbd564f87264a0824df7ca67
VDF version:6.34.00.14

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Spy.Win32.Banker.ahy
   •  Bitdefender: Trojan.Banker.Delf.4F5279A7


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Uses its own Email engine
   • Records keystrokes
   • Registry modification
   • Steals information

 Files It copies itself to the following locations:
   • %SYSDIR%\system32.exe
   • %ALLUSERSPROFILE%\start menu\programs\startup\system32.exe
   • %ALLUSERSPROFILE%\Menu Iniciar\Programas\Inicializar\system32.exe
   • %WINDIR%\Menu Iniciar\Iniciar\system32.exe

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "system32"="%sysdir%\system32.exe"

 Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:


Email design:
From: "Infected" &ltinfect@isbt.com.br>
To: 100kbps@gmail.com
Subject: Infectado
Body:
   • Nome do Computador: %computer name%
     Usuario do computador:%current username%
     Ip: %IP address%
     Data: %current date% Hora: %current hour%
     Windows: %operating system%
     Mac Address: %MAC address%
From: dinheiro@isbt.com.br
To: 100kbps@gmail.com
Subject: Info %bank name%
Body:
   • Nome do Computador: %computer name%
     Usuario do computador: :%current username%
     Ip: %IP address%
     Data: %current date% Hora: %current hour%
     Windows: %operating system%
     Mac Address: %MAC address%
     
     Banco %bank name%
     ------------------------------
     %stolen information%
     ------------------------------
From: dinheiro@isbt.com.br
To: empresarial2006@bol.com.br
Subject: Info %bank name%
Body:
   • Nome do Computador: %computer name%
     Usuario do computador: :%current username%
     Ip: %IP address%
     Data: %current date% Hora: %current hour%
     Windows: %operating system%
     Mac Address: %MAC address%
     
     Banco %bank name%
     ------------------------------
     %stolen information%
     ------------------------------



The email may look like one of the following:



 Mailing MX Server:
It has the ability to contact one of the following MX servers:
   • smtp.isbt.com.br
   • mx2.mail.yahoo.com

 Stealing It tries to steal the following information:

– A logging routine is started after one of the following websites are visited:
   • www.bradesco.com.br
   • caixa.com.br
   • cef.com.br
   • caixa.gov.br
   • cef.gov.br
   • www.unibanco.com.br
   • itau.com.br

– A logging routine is started after the following website is visited, which contains one of the following substrings in the URL:
   • desco
   • caixa
   • unib
   • itau
   • Unibanco.com

– It captures:
    • Keystrokes
    • Login information

 Miscellaneous Mutex:
It creates the following Mutex:
   • STFK MutexXx

 File details Programming language:
The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packers:
   • PecBundle
   • PECompact

Description inserted by Iulia Diaconescu on Monday, March 13, 2006
Description updated by Iulia Diaconescu on Monday, March 13, 2006

Back . . . .