Virus:TR/Spy.Banke.any.89
Date discovered:12/07/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:822.904 Bytes
MD5 checksum:48cbfa5f08bab42cb79bdefc7795ff30
VDF version:6.35.00.154
IVDF version:6.35.00.193 - Thursday, July 20, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Spy.Win32.Banker.ark
   •  Sophos: Troj/Bnkmr-Fam
   •  VirusBuster: TrojanSpy.Banker.DWK


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Uses its own Email engine
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %ALLUSERSPROFILE%\start menu\programs\startup\amsn.exe

 Registry The following registry key is added:

– HKCR\Software\Microsoft\Windows\CurrentVersion\Run
   • "amsn"="%WINDIR%\System32%WINDIR%\Config\amsn.exe"

 Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:


Email design:
From: INFECTADO &ltroger.capellari@gmail.com>
To: louco.bank@gmail.com <louco.bank@gmail.com>
Subject: INFECTADO%computer name%
Body:
   • [Infectado OnLine]..:
     Maquina.............: %computer name%
     IP..................: %current ip address%
     Data................: %current date%
     Hora................: %current hour%
     Verso do Windows...: %operating system% (version %Windows version%)
     |'=========SOURCE BY ROJAO===========
     .
From: BANESPA <BANESPA>
To: bianca3007@gmail.com <bianca3007@gmail.com>
Subject: CHEGOU C/C %computer name%
Body:
   • '
     [Infectado OnLine]..:
     Maquina.............: %computer name%
     IP..................: %current ip address%
     Data................: %current date%
     Hora................: %current hour%
     Verso do Windows...: %operating system% (version %Windows version%)
     |'=========SOURCE BY ROJAO===========
     BANESPA
     !
     ![Ag]:...........%stolen information%
     ![Cont]:.........%stolen information%
     ![Nome Acesso]:..%stolen information%
     ![Sen]:..........%stolen information%
     ![Ass E]:........%stolen information%
     !
     !-=-=-=-=-=-|_PaPaRaZz0_|-=-=-=-=-=-
From: UNIBANCO <UNIBANCO>
To: bianca3007@gmail.com <bianca3007@gmail.com>
Subject: CHEGOU C/C %computer name%
Body:
   • '
     [Infectado OnLine]..:
     Maquina.............: %computer name%
     IP..................: %current ip address%
     Data................: %current date%
     Hora................: %current hour%
     Versão do Windows...: %operating system% (version %Windows version%)
     |'=========SOURCE BY ROJAO===========
     Unibanco nem parece Banco :D
     !
     [Agên].........: %stolen information%
     [Con-Dig]......: %stolen information%
     [SeCont].......: %stolen information%
     [AssElet]......: %stolen information%
     [NascimE]......: %stolen information%
     
     !=========SOURCE BY ROJAO==========



The email may look like one of the following:




 Mailing MX Server:
It has the ability to contact the MX server:
   • gsmtp185.google.com

 Stealing – A logging routine is started after one of the following websites are visited:
   • http://www.banespa.com.br/
   • http://www.unibanco.com.br/

– It captures:
    • Login information

–Form windows are displayed as shown in the pictures below:







 Miscellaneous Mutex:
It creates the following Mutex:
   • fataL MuTexXx

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Ionut Slaveanu on Wednesday, August 30, 2006
Description updated by Andrei Ivanes on Thursday, September 14, 2006

Back . . . .