English
Deutsch
Français
Español
Italiano
Home
Virus Info
TR/Spy.Agent.gct
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
TechBlog
TR/Spy.Agent.gct - Trojan
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
TR/Spy.Agent.gct
Date discovered:
17/06/2008
Type:
Trojan
In the wild:
No
Reported Infections:
Low
Distribution Potential:
Low
Damage Potential:
Medium
Static file:
No
File size:
~4.143.000 Bytes
IVDF version:
7.00.04.210
- Tue, 17 Jun 2008 17:15 (GMT+1)
General
Method of propagation:
• No own spreading routine
Aliases:
• Symantec: Infostealer
• Kaspersky: Trojan-Spy.Win32.Banker.oyi
• TrendMicro: TROJ_BANKER.NWL
• F-Secure: Trojan-Spy.Win32.Banker.oyi
• Panda: Trj/Banker.FWD
• Grisoft: PSW.Banker4.AHOP
• Eset: probably a variant of Win32/Spy.Banker trojan
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Registry modification
• Steals information
Files
It copies itself to the following location:
•
%SYSDIR%
\Internet_Explorer.exe
The following file is created:
– C:\001.tmp This file contains collected information about the system.
Registry
The following registry key is added in order to run the process after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• Internet_Explorer.exe="
%SYSDIR%
\Internet_Explorer.exe"
The following registry key is added:
– [HKCU\Software\Microsoft\FkuCMxHi]
• htIRtBqg=
%hex values%
Backdoor
Contact server:
All of the following:
• http://www.nutricionchaves.com.ar/**********search/~/_.php
• http://www.radiomarcatenerife.com/**********/Messages/lang/eng/region.php
As a result it may send some information. This is done via the HTTP POST method using a PHP script.
Sends information about:
• Computer name
• IP address
• MAC address
• Collected information described in stealing section
• System time
• visited URLs
Stealing
– A logging routine is started after one of the following websites are visited:
• http://www.bb.com.br
• http://www.unibanco.com
• http://www.itau.com.br
• http://www.bradesco.com.br
• http://www.santander.com.br
– It captures:
• Login information
File details
Programming language:
The malware program was written in Delphi.
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
See a brief description
here
.
Description inserted by Thomas Wegele on Wed, 06 Aug 2008 09:43 (GMT+1)
Description updated by Thomas Wegele on Wed, 06 Aug 2008 12:11 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
TR/Crypt.XPACK.Gen
HEUR/HTML.Malware
HTML/Infected.WebPage.Gen
ADSPY/AdSpy.Gen
HTML/Crypted.Gen
W32/Induc.Gen
TR/ATRAPS.Gen2
TR/Click.Yabector.8857.2
TR/PSW.Magania.auv
TR/Dldr.Bredolab.AX
Get comfortable up to the minute info from Avira as
Detects and removes distinct malware and its variants.
Download here
Click
here
to get the panel...
© 2009 Avira GmbH
Copyright
|
Privacy
|
Sitemap
|
Feedback
|
Imprint
|
FAQ
|
Contact
Virus Info TR/Spy.Agent.gct
Print this page
.gif)
