Virus:TR/Spy.Banke.any.97
Date discovered:25/07/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:298.724 Bytes
MD5 checksum:630E56d0cfff769f886dac4d8da4c10E
VDF version:6.35.01.00 - Tuesday, July 25, 2006
IVDF version:6.35.01.00 - Tuesday, July 25, 2006

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Bitdefender: Trojan.Spy.Delf.KG


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Registry modification
   • Steals information

 Registry – HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "Msn Messenger"="%SYSDIR%\msnmgr.scr"



The following registry key is added:

– HKCU\Msn Messenger

 Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:


From:
The sender of the email is the following:
   • "Senhas - %computer name%" <chegoubom@terra.com.mx>


To:
– The following email address:
   • teste005@gmail.com


Subject:
The following:
   • Msn Atualizado 12/07/06



Body:

   • Usuario Msn: %stolen information%
     Pass : %stolen information%
     .



The email looks like the following:


 Mailing MX Server:
It has the ability to contact the MX server:
   • smtp.terra.com.mx

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
It makes use of the following Exploit:
– MS04-007 (ASN.1 Vulnerability)

 Stealing It tries to steal the following information:

– The password from the following program:
   • MSN Messenger

–A form window is displayed as shown in the picture below:


 File details Programming language:
 The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Marius T. Nicolae on Wednesday, September 20, 2006
Description updated by Marius T. Nicolae on Wednesday, September 20, 2006

Back . . . .