Virus:TR/Spy.Bancodor.AB
Date discovered:12/04/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:41.472 Bytes
MD5 checksum:62417a81023a5ae1dfce61709824d49b
VDF version:6.34.00.176

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Backdoor.Win32.Bancodor.ab
   •  TrendMicro: TSPY_AGENT.BRF
   •  Bitdefender: Trojan.Spy.Bancodor.A


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %PROGRAM FILES%\Common Files\System\lsass.exe



The following files are created:

– Temporary files that might be deleted afterwards:
   • C:\bkup.reg
   • %SYSDIR%\divx.ini
   • %SYSDIR%\%random character string%.tmp.log

%SYSDIR%\divx.ini This is a non malicious text file with the following content:
   • %stolen information%

%SYSDIR%\winaupd.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Bancodo.AB.2

%SYSDIR%\xvid.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Bancodo.AB.4

%SYSDIR%\nUn.b Contains parameters used by the malware.

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • system = %PROGRAM FILES%\Common Files\system\lsass.exe



The following registry keys including all values and subkeys are removed:
   • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
   • [HKCU\Software\Microsoft\Internet Explorer\TypedURLs]
   • [HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]



It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • %SYSDIR%\userinit.exe = %SYSDIR%\userinit.exe:*:Enabled:Userinit



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows]
   New value:
   • System =
   • Shell = Explorer.exe

– [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv]
   Old value:
   • Start = %user defined settings%
   New value:
   • Start = 2

– [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters]
   Old value:
   • ServiceDll = %SYSDIR%\wuauserv.dll
   New value:
   • ServiceDll = %SYSDIR%\winaupd.dll

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • SFCDisable = 0
   New value:
   • SFCDisable = ffffff9d
   • SFCScan = 0

Various Explorer settings:
– [HKCU\Software\Microsoft\Internet Explorer]
   New value:
   • SearchURL =

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   New value:
   • Default_Search_URL =
   • Search Page = www.microsoft.com/isapi/redir.dllprd = ie&ar = iesearch
   • Search Bar =
   • SearchURL =
   • Window_Placement =

– [HKCU\Software\Microsoft\Internet Explorer\Search]
   New value:
   • SearchAssistant =

– [HKCU\Software\Micrsoft\Internet Explorer\Toolbar\WebBrowser]
   New value:
   • ITBarLayout =

– [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search]
   New value:
   • SearchAssistant = ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
   • CustomizeSearch = ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

– [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
   New value:
   • NavigationFailure = res://shdoclc.dll/navcancl.htm
   • DesktopItemNavigationFailure = res://shdoclc.dll/navcancl.htm
   • NavigationCanceled = res://shdoclc.dll/navcancl.htm
   • OfflineInformation = res://shdoclc.dll/offcancl.htm
   • blank = res://mshtml.dll/blank.htm
   • PostNotCached = res://mshtml.dll/repost.htm
   • mozilla = res://mshtml.dll/about.moz

– [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
   New value:
   • Default_Page_URL = about:blank
   • Default_Search_URL = www.microsoft.com/isapi/redir.dll?prd = ie&ar = iesearch
   • Search Page = www.microsoft.com/isapi/redir.dll?prd = ie&ar = iesearch
   • Local Page =
   • Start Page = about:blank

– [HKU\.Default\Software\Microsoft\Internet Explorer]
   New value:
   • SearchURL =

– [HKU\.Default\Software\Microsoft\Internet Explorer\Main]
   New value:
   • Search Page = www.microsoft.com/isapi/redir.dll?prd = ie&ar = iesearch
   • Default_Search_URL =
   • Search Bar =
   • Local Page =
   • Start Page =

– [HKU\.Default\Software\Microsoft\Internet Explorer\Search]
   New value:
   • SearchAssistant =

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   New value:
   • Check_Associations = yes

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   New value:
   • NoSaveSettings = 0

– [HKCU\Software\Microsoft\Windows\CurrentVersion\
   Group Policy Objects\LocalUser\Software\Policies\Microsoft\
   Internet Explorer\Control Panel]
   New value:
   • Check_If_Default = 0

– [HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]
   New value:
   • Check_If_Default = 0

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • SeparateProcess = 0

 Process termination List of processes that are terminated:
   • WINLDRA.EXE; NETSCAPE.EXE; OPERA.EXE; FIREFOX.EXE; MOZILLA.EXE;
      M00.EXE; WINTBPX.EXE; SWCHOST.EXE; SVOHOST.EXE; SVC.EXE; WINSOCK.EXE;
      SPOOLS.EXE; KERNELS32.EXE; mwfibpx.exe; nod32kui.exe; mcupdate.exe;
      mw1hel~1.exe; realsched.exe; tbon.exe; pucxyloo.exe; mouse32a.exe;
      winupdates.exe; backweb-; qttask.exe; mediagateway.exe; sox1.exe;
      shstat.exe; SpyAxe.exe; xcommsvr.exe; rwnt.exe; shost.exe;
      MouseElf.exe; aimexdll.exe; batserv2.exe; Elogerr.exe; sysc.exe;
      stopads.exe; istsvc.exe; uwfx5.exe; dazzler.exe; secure.exe;
      spoolsrv32.exe; ibm00001.exe; kernels64.exe; driver64.exe;
      paytime.exe; type32.exe; mediapipe.exe; adduz32.exe; itbill.exe;
      spysheriff.exe; apifl.exe; drsmartloadb.exe; gcasserv.exe; mpp2pl.exe;
      unspypc.exe; realsched.exe; isstart.exe; logitray.exe; winstall.exe;
      statusclient.exe; mpcsvc.exe; backorif.exe; NopeZ.exe; usrprmpt.exe;
      netnw.exe; hpbpsttp.exe; nvarem.exe; apifl.exe; UnSpyPC.exe


 Backdoor Contact server:
The following:
   • http://www.southsea.cc/news/**********

As a result it may send some information. Besides, it periodically repeats the connection. This is done via the HTTP POST method using a PHP script.
The servers answer is written to the file: %SYSDIR%\xvid.ini


Sends information about:
    • Cached passwords
    • Created logfiles
    • Environment variables
    • Current malware status
    • Information about running processes
    • Collected information described in stealing section

 Stealing It tries to steal the following information:
– Passwords typed into 'password input fields'
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– A logging routine is started after a website is visited:
   • %any website that contains a login form%

– It captures:
    • Window information
    • Login information

 Injection –  It injects the following file into a process: %SYSDIR%\xvid.dll

    Process name:
   • %all processes started after malware is active in memory%


 Miscellaneous Mutex:
It creates the following Mutex:
   • _Toolbar_Class_32


File patching:
In order to disable Windows File Protection (WFP) it has the capability to modify the file sfc_os.dll at offset 0000E2B8. WFP is intended to avoid some of the common problems that cause DLL inconsistencies.

 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:
– Its own process

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Andrei Gherman on Thursday, April 13, 2006
Description updated by Andrei Gherman on Thursday, April 13, 2006

Back . . . .