Virus:TR/Spy.Banker.bpk
Date discovered:19/07/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:825.912 Bytes
MD5 checksum:b6d73ad77f9c87df6853e121cfd4c98c
VDF version:6.35.00.184
IVDF version:6.35.00.224

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Infostealer.Bancos!gen
   •  Mcafee: PWS-Banker.gen.g
   •  Kaspersky: Trojan-Spy.Win32.Banker.ark
   •  TrendMicro: TSPY_BANKER.AFK
   •  Sophos: Troj/Bnkmr-Fam
   •  Bitdefender: Trojan.Spy.Banker.WVC


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %ALLUSERSPROFILE%\start menu\programs\startup\amsn.exe

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCR\Software\Microsoft\Windows\CurrentVersion\Run]
   • "amsn"="%WINDIR%\Config\amsn.exe"

 Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:


From:
The sender address is spoofed.
The sender of the email is one of the following:
   • INFECTADO
   • CAIXAECONOMICA
   • BANCODOBRASIL
   • UNIBANCO
   • BANESPA


To:
The recipient of the email is the following:
   • gsmtp.smtp@gmail.com


Subject:
One of the following:
   • %computer name%
   • CHEGOU C/C BUFUNFA %computer name%



Body:
Sometimes it starts with one of the following:

   • [Infectado OnLine]..:
     Maquina.............: %computer name%
     IP..................: %current ip address%
     Data................: %current date%
     Hora................: %current hour%
     Versão do Windows...: %Windows version%
     |'=========SOURCE BY ROJAO===========
     
     

   • Demonio FEDERAL
     !
     [Caixa Tip].............:
     [Caixa Agê].............:
     [Caixa Con].............:
     [Caixa SeNet]...........:
     [Caixa AssElet].........:
     !
     !==========SOURCE BY ROJAO=============

   • Unibanco nem parece Banco :D
     [Con-Dig]......:
     [SeCont].......:
     [AssElet]......:
     [NascimE]......:
     !=========SOURCE BY ROJAO==========

   • BANESPA
     [Cont]:.........:
     [Nome Acesso]:..:
     [Sen]:..........:
     [Ass E]:........:
     ==============SOURCE BY ROJAO============



The email may look like one of the following:



 Mailing MX Server:
It has the ability to contact the MX server:
   • gsmtp185.google.com

 Stealing It tries to steal the following information:

– A logging routine is started after one of the following websites are visited:
   • http://www.caixa.gov.br/_redirect/links/r_internetcaixa.asp
   • http://www.bancodobrasil.com.br/appbb/portal/index.jsp
   • http://www.santanderbanespa.com.br/portal/gsb/script/templates/GCMRequest.do?page=50

– It captures:
    • Login information

 Miscellaneous Mutex:
It creates the following Mutex:
   • fataL MuTexXx

Description inserted by Gabriel Mustata on Tuesday, October 3, 2006
Description updated by Andrei Ivanes on Tuesday, October 24, 2006

Back . . . .