Virus:TR/Banker.Delf.EC
Date discovered:16/02/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:1.560.472 Bytes
MD5 checksum:6a154e0A90f45202ec2d42e9a71a1b03
VDF version:6.33.01.01 - Thursday, February 16, 2006
IVDF version:6.33.01.01 - Thursday, February 16, 2006

 General Method of propagation:
   • No own spreading routine


Alias:
   •  TrendMicro: TSPY_BANKER.EZT


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Registry modification
   • Steals information

 Files It copies itself to the following locations:
   • %SYSDIR%\AntiVirus.scr
   • %SYSDIR%\smsss.exe
   • %ALLUSERSPROFILE%\start menu\programs\startup\AntiVirus.scr

 Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "AntiVirus"="%SYSDIR%\AntiVirus.scr"



The following registry key is added:

– HKCU\SOFTWARE\MICROSOFT\MS SETUP (ACME)\

 Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:


From:
The sender address is spoofed.
The sender of the email is one of the following:
   • "B.R.A.V.O" <boizao2006@yahoo.com.br>
   • pau 100 mil


To:
– The following email address:
   • gracelltda@gmail.com


Subject:
One of the following:
   • $DINHEIRO$
   • $DINHEIRO$%name of the bank%
   • ESSE =?ISO-8859-1?Q?=C9?= FORTE= %name of the computer%



Body:

   • %stolen information%



The email may look like one of the following:



 Stealing – A logging routine is started after one of the following websites are visited:
   • http://www.bancorural.com.br/
   • unibanco.com.br
   • bradesco.com.br/scripts/
   • https://carrinho.americanas.com.br/portal/acom.portal?_nfpb=true&portlet_payment_actionOverride=#portlets#payment%
   • https://www.submarino.com.br/Payment.asp?AddrId=&Atm=
   • https://www2.rural.com.br/RuralIBank/principal.jsp
   • banknet.brb.com.br/iBanking
   • www.bec.com.br
   • bancoreal.com.br
   • http://www.bancoreal.com.br/
   • http://www.bancoreal.com.br
   • https://wwws.nossacaixa.com.br/bemvindo.asp
   • itau.com.br

– It captures:
    • Login information

–Form windows are displayed as shown in the pictures below:




 Miscellaneous Mutex:
It creates the following Mutex:
   • fataL MuTexXx

 File details Programming language:
 The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Marius T. Nicolae on Friday, September 1, 2006
Description updated by Marius T. Nicolae on Monday, September 18, 2006

Back . . . .