TR/Spy.Banker.adq - Trojan

See also

Summary

Full description

Statistics

Virus:	TR/Spy.Banker.adq
Date discovered:	13/09/2005
Type:	Trojan
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	1.106.432 Bytes
MD5 checksum:	8b6754b9f97d0f3c32635da271496e82
VDF version:	6.32.0.13

General Method of propagation:
   • No own spreading routine

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Uses its own Email engine
   • Records keystrokes
   • Registry modification
   • Steals information

Files It copies itself to the following location:
• %WINDIR%\svchosts.exe

Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "svchosts"="%WINDIR%\svchosts.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "bnfx"="%WINDIR%\svchosts.exe"

Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:

Email design:

From: "KL magnific&bnfx - infected" <logs@terra.com.br>
To: b1c40@isbt.com.br
Subject: %computer name% infected
Body:
   • 11 banks

From: "INFO: %computer name%" <info@terra.com.br>
To: contaslegais@gmail.com
Subject: %bank name%
Body:
   • INFO: %computer name%
     ================================
     =%bank name%=
     %stolen information%

The email may look like one of the following:

Mailing MX Server:
It has the ability to contact the MX server:
• smtp.isbt.com.br

Stealing – A logging routine is started after one of the following websites are visited:
   • www14.bancobrasil.com.br
   • empresarial.unibanco.com.br/index.asp
   • https://ibpf.unibanco.com.br
   • https://www.santandernet.com.br
   • banknet.brb.com.br/brbBanknet
   • wwws.nossacaixa.com.br/bemvindo.asp
   • nel.bnb.gov.br
   • https://netbanking2.banespa.com.br/Inicial.asp

– A logging routine is started after the following website is visited, which contains one of the following substrings in the URL:
   • bradesco.com.br/scripts
   • bto/link/msie/btope0hw.asp
   • RuralIBank/principal.jsp
   • bbr
   • bradesco
   • sant
   • uniba
   • caixa
   • real
   • nocaixa
   • ban
   • nordeste
   • rural
   • banri

– It captures:
    • Keystrokes
    • Login information

Miscellaneous Mutex:
It creates the following Mutex:
• STFK MutexXx

File details Programming language:
The malware program was written in Delphi.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• PEncrypt 3.1

See a brief description here.

Description inserted by Iulia Diaconescu on Wed, 14 Sep 2005 11:12 (GMT+1)
Description updated by Iulia Diaconescu on Mon, 19 Sep 2005 15:51 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back