English
Deutsch
Francais
Español
Italian
Home
Virus Info
TR/Banker.Delf.DF735649
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
TR/Banker.Delf.DF735649 - Trojan
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
TR/Banker.Delf.DF735649
Date discovered:
14/03/2006
Type:
Trojan
In the wild:
No
Reported Infections:
Low
Distribution Potential:
Low
Damage Potential:
Medium
Static file:
Yes
File size:
497.263 Bytes
MD5 checksum:
ba970E1969262fe24e8f580B25d10Bc1
VDF version:
6.34.00.44
- Tue, 14 Mar 2006 09:43 (GMT+1)
General
Method of propagation:
• No own spreading routine
Aliases:
• Mcafee: PWS-Banker.gen.bb
• TrendMicro: TSPY_BANKER.CGU
• Bitdefender: Trojan.Banker.Delf.DF735649
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Uses its own Email engine
• Registry modification
• Steals information
Right after execution the following information is displayed:
The picture has been edited for display purpose.
Registry
The following registry key is added in order to run the process after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "Windows"="
%WINDIR%
\smss.exe"
The following registry key including all values and subkeys is removed:
• [HKCR\CLSID\{2E3C3651-B19C-4DD9-A979-901EC3E930AF}]
The following registry key is added:
– [HKLM\SOFTWARE\Microsoft\Code Store Database]
Email
It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:
From:
The sender of the email is the following:
• "
%computer name%
"
To:
The recipient of the email is the following:
• peixim2007@gmail.com
Subject:
The following:
• Aviso-Infect -
%computer name%
Body:
The body of the email is the following:
•
%computer name%
Dispositivo instalado.
Maquina pronta para uso.
Data:
%current date%
Hora:
%current hour%
Development by CROW MASTER.
The email looks like the following:
Mailing
MX Server:
It has the ability to contact one of the following MX servers:
• smtp.isbt.com.br
• smtp.terra.com.br
• smtp.poa.terra.com.br
Stealing
It tries to steal the following information:
– A logging routine is started after one of the following websites are visited:
• https://itaubankline.itau.com.br
• https://bankline.itau.com.br
• https://netbanking2.banespa.com.br
• https://internetcaixa.caixa.gov.br
• http://www.bb.com.br
• http://www.itau.com.br
• http://www.santander.com.br
• http://www.banespa.com.br
• http://www.sudameris.com.br
• http://www.bradesco.com.br
– It captures:
• Window information
• Login information
–Form windows are displayed as shown in the pictures below:
File details
Programming language:
The malware program was written in Delphi.
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
See a brief description
here
.
Description inserted by Daniel Constantin on Fri, 17 Mar 2006 10:26 (GMT+1)
Description updated by Daniel Constantin on Fri, 17 Mar 2006 10:47 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
TR/Crypt.CFI.Gen
Worm/Kidala.G
Worm/Mytob.AD
Worm/Mytob.BF
Worm/Mytob.AT
BDS/Frauder.bu
DR/Autoit.I.1
TR/Spy.ZBot.DFR
TR/VB.aei
EXP/Java.Gimsh.A.40
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info TR/Banker.Delf.DF735649
Print this page
.gif)
