Full description

Virus:	TR/Spy.Banke.any.89
Date discovered:	12/07/2006
Type:	Trojan
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	822.904 Bytes
MD5 checksum:	48cbfa5f08bab42cb79bdefc7795ff30
VDF version:	6.35.00.154
IVDF version:	6.35.00.193 - Thursday, July 20, 2006

General Method of propagation:
   • No own spreading routine

Aliases:
   • Kaspersky: Trojan-Spy.Win32.Banker.ark
   • Sophos: Troj/Bnkmr-Fam
   • VirusBuster: TrojanSpy.Banker.DWK

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Uses its own Email engine
   • Registry modification
   • Steals information

Files It copies itself to the following location:
• %ALLUSERSPROFILE%\start menu\programs\startup\amsn.exe

Registry The following registry key is added:

– HKCR\Software\Microsoft\Windows\CurrentVersion\Run
• "amsn"="%WINDIR%\System32%WINDIR%\Config\amsn.exe"

Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:

Email design:
From: INFECTADO &ltroger.capellari@gmail.com>
To: louco.bank@gmail.com <louco.bank@gmail.com>
Subject: INFECTADO%computer name%
Body:
   • [Infectado OnLine]..:
     Maquina.............: %computer name%
     IP..................: %current ip address%
     Data................: %current date%
     Hora................: %current hour%
     Verso do Windows...: %operating system% (version %Windows version%)
     |'=========SOURCE BY ROJAO===========
     .
From: BANESPA <BANESPA>
To: bianca3007@gmail.com <bianca3007@gmail.com>
Subject: CHEGOU C/C %computer name%
Body:
   • '
     [Infectado OnLine]..:
     Maquina.............: %computer name%
     IP..................: %current ip address%
     Data................: %current date%
     Hora................: %current hour%
     Verso do Windows...: %operating system% (version %Windows version%)
     |'=========SOURCE BY ROJAO===========
     BANESPA
     !
     ![Ag]:...........%stolen information%
     ![Cont]:.........%stolen information%
     ![Nome Acesso]:..%stolen information%
     ![Sen]:..........%stolen information%
     ![Ass E]:........%stolen information%
     !
     !-=-=-=-=-=-|_PaPaRaZz0_|-=-=-=-=-=-
From: UNIBANCO <UNIBANCO>
To: bianca3007@gmail.com <bianca3007@gmail.com>
Subject: CHEGOU C/C %computer name%
Body:
   • '
     [Infectado OnLine]..:
     Maquina.............: %computer name%
     IP..................: %current ip address%
     Data................: %current date%
     Hora................: %current hour%
     Versão do Windows...: %operating system% (version %Windows version%)
     |'=========SOURCE BY ROJAO===========
     Unibanco nem parece Banco :D
     !
     [Agên].........: %stolen information%
     [Con-Dig]......: %stolen information%
     [SeCont].......: %stolen information%
     [AssElet]......: %stolen information%
     [NascimE]......: %stolen information%

     !=========SOURCE BY ROJAO==========

The email may look like one of the following:

Mailing MX Server:
It has the ability to contact the MX server:
• gsmtp185.google.com

Stealing – A logging routine is started after one of the following websites are visited:
   • http://www.banespa.com.br/
   • http://www.unibanco.com.br/

– It captures:
    • Login information

–Form windows are displayed as shown in the pictures below: