Virus:TR/Dldr.Banker.GA.1
Date discovered:25/07/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:42.496 Bytes
MD5 checksum:06bf129bba13d220406a6ce5739d63a1
VDF version:6.35.01.000
IVDF version:6.35.01.000

 General Aliases:
   •  Symantec: Infostealer.Snifula
   •  Kaspersky: Trojan-Spy.Win32.Small.gf
   •  Sophos: Troj/FireSpy-A


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows 2000
   • Windows XP


Side effects:
   • Drops files
   • Drops a malicious file
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %SYSDIR%\138762763.exe



A section is added to a file.
– To: %APPDATA%\Mozilla\Firefox\Profiles\%eight-digit random character string%.default\extensions.ini With the following contents:
   • [ExtensionDirs]
     Extension0=%APPDATA%\Mozilla\Firefox\Profiles\5yxkpuhr.default\extensions\{1d58a41c-b1a5-4c8f-94bf-6350f2809b06}\install.rdf




The following files are created:

%PROGRAM FILES%\Mozilla Firefox\Components\AppInterConn.xpt
%PROGRAM FILES%\Mozilla Firefox\Components\AppInterConn.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Agent.SN.4

– %APPDATA%\Mozilla\Firefox\Profiles\%eight-digit random character string%.default\extensions\{1d58a41c-b1a5-4c8f-94bf-6350f2809b06}\install.rdf
– %APPDATA%\Mozilla\Firefox\Profiles\%eight-digit random character string%.default\extensions\{1d58a41c-b1a5-4c8f-94bf-6350f2809b06}\chrome.manifest
– %APPDATA%\Mozilla\Firefox\Profiles\%eight-digit random character string%.default\extensions\{1d58a41c-b1a5-4c8f-94bf-6350f2809b06}\chrome\numberedlinks.jar
– %APPDATA%\Mozilla\Firefox\Profiles\%eight-digit random character string%.default\chrome\overlayinfo\browser\content\overlays.rdf
– %APPDATA%\Mozilla\Firefox\Profiles\%eight-digit random character string%.default\chrome\chrome.rdf

 Registry The following registry key is added in order to run the process after reboot:

– HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • "stup"="%SYSDIR%\138762763.exe"



The following registry key is added:

– HKCU\Software\keys
   • "k2"=%hex number%
   • "k1"=%hex number%

 Backdoor Contact server:
The following:
   • 81.95.147.107/cgi-bin/**********

This is done via the HTTP GET request on a CGI script.


Sends information about:
    • Collected information described in stealing section

 Stealing It tries to steal the following information:
– Passwords typed into 'password input fields'

– A logging routine is started after a website is visited:
   • %any website that contains a login form%

– It captures:
    • Login information

 Miscellaneous Mutex:
It creates the following Mutex:
   • kjhskdhkjshfd_Mutex

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Bogdan Iliuta on Friday, July 28, 2006
Description updated by Bogdan Iliuta on Monday, July 31, 2006

Back . . . .