TR/Spy.Banker.qo.8 - Trojan

See also

Summary

Full description

Statistics

Virus:	TR/Spy.Banker.qo.8
Date discovered:	09/06/2005
Type:	Trojan
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	697.344 Bytes
MD5 checksum:	34f609ff9da428545d1049416cd7b6ed
VDF version:	6.31.0.24

Files It tries to download a file:

– The location is the following:
• http://**********.vilabol.uol.com.br/keylogf.jpg
It is saved on the local hard drive under: %SYSDIR%\keylogf.dll

Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "dark"="%SYSDIR%\imgst.scr"

Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:

To:
The recipient of the email is the following:
• carajaspo**********com.br

Mailing MX Server:
It does not use the standard MX server.
It has the ability to contact the MX server:
• smtp.mail.yahoo.fr

Stealing – A logging routine is started after one of the following websites are visited:
   • http:/ /www.banco**********.gov.br; http:/
      /www.banco**********.com.br/; https:/
      /bank**********.com.br/GRIPNET/gracgi.exe; https:/
      /bank**********.com.br/GRIPNET/montaMenu.exe; https:/
      /**********.unibanco.com.br/index.asp; https:/
      /**********.caixa.gov.br/NASApp/SIIBC/index_verif.processa;
      https:/
      /**********.caixa.gov.br/NASApp/SIIBC/login_ok.processa;
      https:/ /**********.itau.com.br/GRIPNET/montaMenu.exe;
      https:/ /**********.bnb.gov.br/aco_ini.htm; https:/
      /**********.bnb.gov.br/aco_ini.htm; https:/
      /**********.bancobrasil.com.br/aapf/aai/login.pbk; https:/
      /**********.bancobrasil.com.br/aapf/aai/principal; https:/
      /wwws.**********.com.br/dgb/defaultsenha.asp; https:/
      /wwwss.**********.com.br;
      www.banco**********.com.br;
      www.banco**********.com.br;
      www.banco**********.com.br; www.ban**********.com.br;
      www.bank**********.com.br; www.**********.br;
      www.**********.br; www.**********.br;
      www.**********.br; www.**********.br;
      www.**********.com.br; www.**********.com.br;
      www.**********.com.br; C:\BancoBrasil\officeIE\index.html;
      C:\BancoBrasil\officePLUGIN\index.html

– It captures:
    • Keystrokes
    • Window information
    • Browser window
    • Login information

See a brief description here.

Description inserted by Razvan Olteanu on Wed, 31 Aug 2005 14:15 (GMT+1)
Description updated by Razvan Olteanu on Fri, 02 Sep 2005 09:24 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back