My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Banker.Delf.ZRD

LOW
LOW
1870kB (1915392 bytes)

Symptoms

A banking application for Bradesco with a browser-like interface that contains graphical elements such as buttons / links that offer no functionality.

 

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Vlad Craciun, virus researcher

Technical Description:

    Application tricks users into thinking that it is a legitimate application which allows them to login to Bradesco banking account. After first try of authentication, if application validates users steps, it displays a message that informs users that their banking account is going to expire within 5 days from that moment on, and it is highly recommended to renew account informations.

    Also, the application refuses to close itself using normal methods, insisting upon account renewal.

    If the next 3 steps also succed, the application tries to connect to http://web67.f1.k8.com.br (187.16.23.161) sending 3 packets with length of 252 bytes, 2127 bytes and 186 bytes, using sockets connections on local port 1085 and also proxy forwarding with an entire branch of logins implying usernames and passwords to make difficult tracking.

domain:      k8.com.br
owner:       Digirati Informática, serviços e telecomunicações (332944)

    In last two packets previously described, the application encodes in base64 format sets of data collected from user's PC and POST them to http://www.repuxo.com/gol/index.php