TR/Spy.Banker.bpj - Trojan

See also

Summary

Full description

Statistics

Virus:	TR/Spy.Banker.bpj
Date discovered:	19/07/2006
Type:	Trojan
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Low to medium
Static file:	Yes
File size:	285.184 Bytes
MD5 checksum:	c3d013ce5cef94c914fa570C945a231f
VDF version:	6.35.00.184 - Wed, 19 Jul 2006 09:40 (GMT+1)
IVDF version:	6.35.00.224

General Method of propagation:
   • No own spreading routine

Aliases:
   • Kaspersky: Trojan-Spy.Win32.Banker.bpj
   • TrendMicro: TSPY_BANKER.BVM
   • Sophos: Troj/Banker-LCR
   • Bitdefender: Trojan.Spy.Banker.WVA

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops files
   • Registry modification
   • Steals information
   • Third party control

Right after execution the following information is displayed:

Right after execution it runs a windows application which will display the following window:

Files It copies itself to the following location:
   • %SYSDIR%\winsp II\Services.exe

It creates the following directory:
   • %SYSDIR%\winsp II

The following file is created:

– %SYSDIR%\servicesxpnt.dll This file contains collected keystrokes.

It tries to executes the following file:

– Filename:
   • %randomly chosen directory%\IExplore.exe
using the following command line arguments: www_getwindowinfo

Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• "Services"="%SYSDIR%\winsp II\Services.exe"

The following registry key is added:

– HKCU\Services

Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:

From:
The sender address is spoofed.
The sender of the email is the following:
   • "%computer name%" <cristinacastro007@gmail.com>

To:
The recipient of the email is the following:
   • cristinacastro007@gmail.com

Subject:
The following:
   • confirmando =?ISO-8859-1?Q?atualiza=E7=E3o?= sp2%computer name%

Body:
The body of the email is the following:

   • %stolen information%

The email looks like the following:

Mailing MX Server:
It has the ability to contact the MX server:
• gsmtp185.google.com

Backdoor Contact server:
The following:
• http://zptq.no.sapo.pt/**********

As a result remote control capability is provided. This is done via the HTTP GET request on a CGI script.
The servers answer is written to the file: %SYSDIR%\itlzxp.dll

Remote control capabilities:
• Download file

Stealing It tries to steal the following information:

– A logging routine is started after one of the following websites are visited:
   • http://citibank.com
   • http://www.uol.com.br

– It captures:
    • Window information
    • Browser window

File details Programming language:
The malware program was written in Delphi.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX

See a brief description here.

Description inserted by Marius T. Nicolae on Mon, 11 Sep 2006 15:38 (GMT+1)
Description updated by Marius T. Nicolae on Mon, 11 Sep 2006 15:57 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back