Virus:TR/Spy.Banker.bpj
Date discovered:19/07/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:285.184 Bytes
MD5 checksum:c3d013ce5cef94c914fa570C945a231f
VDF version:6.35.00.184
IVDF version:6.35.00.224

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Spy.Win32.Banker.bpj
   •  TrendMicro: TSPY_BANKER.BVM
   •  Sophos: Troj/Banker-LCR
   •  Bitdefender: Trojan.Spy.Banker.WVA


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Registry modification
   • Steals information
   • Third party control


Right after execution the following information is displayed:



Right after execution it runs a windows application which will display the following window:


 Files It copies itself to the following location:
   • %SYSDIR%\winsp II\Services.exe



It creates the following directory:
   • %SYSDIR%\winsp II



The following file is created:

%SYSDIR%\servicesxpnt.dll This file contains collected keystrokes.



It tries to executes the following file:

– Filename:
   • %randomly chosen directory%\IExplore.exe
using the following command line arguments: www_getwindowinfo

 Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "Services"="%SYSDIR%\winsp II\Services.exe"



The following registry key is added:

– HKCU\Services

 Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:


From:
The sender address is spoofed.
The sender of the email is the following:
   • "%computer name%" <cristinacastro007@gmail.com>


To:
The recipient of the email is the following:
   • cristinacastro007@gmail.com


Subject:
The following:
   • confirmando =?ISO-8859-1?Q?atualiza=E7=E3o?= sp2%computer name%



Body:
The body of the email is the following:

   • %stolen information%



The email looks like the following:


 Mailing MX Server:
It has the ability to contact the MX server:
   • gsmtp185.google.com

 Backdoor Contact server:
The following:
   • http://zptq.no.sapo.pt/**********

As a result remote control capability is provided. This is done via the HTTP GET request on a CGI script.
The servers answer is written to the file: %SYSDIR%\itlzxp.dll


Remote control capabilities:
    • Download file

 Stealing It tries to steal the following information:

– A logging routine is started after one of the following websites are visited:
   • http://citibank.com
   • http://www.uol.com.br

– It captures:
    • Window information
    • Browser window

 File details Programming language:
 The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Marius T. Nicolae on Monday, September 11, 2006
Description updated by Marius T. Nicolae on Monday, September 11, 2006

Back . . . .