Virus:TR/Spy.Agent.gct
Date discovered:17/06/2008
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:No
File size:~4.143.000 Bytes
IVDF version:7.00.04.210 - Tuesday, June 17, 2008

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Infostealer
   •  Kaspersky: Trojan-Spy.Win32.Banker.oyi
   •  TrendMicro: TROJ_BANKER.NWL
   •  F-Secure: Trojan-Spy.Win32.Banker.oyi
   •  Panda: Trj/Banker.FWD
   •  Grisoft: PSW.Banker4.AHOP
   •  Eset: probably a variant of Win32/Spy.Banker trojan


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %SYSDIR%\Internet_Explorer.exe



The following file is created:

– C:\001.tmp This file contains collected information about the system.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • Internet_Explorer.exe="%SYSDIR%\Internet_Explorer.exe"



The following registry key is added:

– [HKCU\Software\Microsoft\FkuCMxHi]
   • htIRtBqg=%hex values%

 Backdoor Contact server:
All of the following:
   • http://www.nutricionchaves.com.ar/**********search/~/_.php
   • http://www.radiomarcatenerife.com/**********/Messages/lang/eng/region.php

As a result it may send some information. This is done via the HTTP POST method using a PHP script.


Sends information about:
    • Computer name
    • IP address
    • MAC address
    • Collected information described in stealing section
    • System time
    • visited URLs

 Stealing – A logging routine is started after one of the following websites are visited:
   • http://www.bb.com.br
   • http://www.unibanco.com
   • http://www.itau.com.br
   • http://www.bradesco.com.br
   • http://www.santander.com.br

– It captures:
    • Login information

 File details Programming language:
 The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Thomas Wegele on Wednesday, August 6, 2008
Description updated by Thomas Wegele on Wednesday, August 6, 2008

Back . . . .