Virus:TR/Spy.Banker.ccj
Date discovered:05/10/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:970.752 Bytes
MD5 checksum:7e3a0361cdfe790d15ee8a25c16a0c28
VDF version:6.36.00.79
IVDF version:6.36.00.95 - Thursday, October 12, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Spy.Win32.Banker.ccj
   •  F-Secure: Trojan-Spy.Win32.Banker.ccj
   •  Sophos: Troj/Bancban-PK
   •  Grisoft: PSW.Banker2.QKO
   •  Eset: Win32/Spy.Banker.AWA
   •  Bitdefender: Trojan.Banker.Delf.DG


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Uses its own Email engine
   • Registry modification
   • Steals information

 Files The following files are created:

– Non malicious file:
   • %SYSDIR%\epson.txt

– A file that is for temporary use and it might be deleted afterwards:
   • %SYSDIR%\fotos\foto%number%.jpg




It tries to executes the following files:

– Filename:
   • %SYSDIR%\netsh.exe
using the following command line arguments: firewall add allowedprogram %SYSDIR%\epson.scr Ftp..


– Filename:
   • %SYSDIR%\netsh.exe
using the following command line arguments: firewall add allowedprogram %SYSDIR%\epson.scr smtp..

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Epson"="%SYSDIR%\epson.scr"

 Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:


From:
The sender of the email is one of the following:
   • bemvindo2006@mail.ru
   • bemvindo2005@mail.ru
   • bemvindo2007@mail.ru


To:
The recipients of the email are the following:
   • bemvindo2007@gmail.com
   • bemvindo20066@gmail.com
   • vidanova424@gmail.com


Email design:
Subject: MAIS UM NO AGUARDO%computer name%
Subject: Sangue Bom - %computer name%
Body:
   • %computer name%
     %stolen information%
Attachment:
   • foto%number%.jpg



The email may look like one of the following:



 Mailing MX Server:
It has the ability to contact the MX server:
   • smtp.mail.ru

 Stealing It tries to steal the following information:
– Passwords typed into 'password input fields'

– A logging routine is started after one of the following websites are visited:
   • http://www.orkut.com
   • http://www.bb.com.br
   • http://www.bradesco.com.br
   • http://www.equifax.com.br
   • http://www.santander.com.br
   • http://santander.com.br/portal/bsb/script/templates/GCMRequest.do?page=1010
   • http://www.banespa.com.br
   • http://www.itau.com.br
   • https://bankline.itau.com.br/GRIPNET/gracgi.EXE
   • https://www2.bancobrasil.com.br/aapf/aai/principal
   • https://internetcaixa.caixa.gov.br/NASApp/SIIBC/login_autentica.processa
   • https://bradesconetempresa.com.br
   • https://www2.bancobrasil.com.br/aapf/aai/login.pbk?textoConteudo=3

– It captures:
    • Login information

–Form windows are displayed as shown in the pictures below:




 File details Programming language:
 The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Adriana Popa on Thursday, December 7, 2006
Description updated by Adriana Popa on Friday, December 8, 2006

Back . . . .