My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Spy.Banker.ABGS

LOW
HIGH
2.6 MB
( Trojan.Win32.Scar.xqq Suspect-1D!A0565B91EDEA a variant of Win32/Packed.Themida Generic_c.ACQQ Win32:Rootkit-gen)

Symptoms

The following files will be found on an infected computer:
%SYSTEM%\megatron.ini
%SYSTEM%\imglog.exe
%WINDIR%\ponto.dll

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Robert Szasz, virus researcher

Technical Description:

This malware got an internet explorer icon.

When runs this malware checks if SOFTICE is installed on your system, if installed then the computer will not be infected, else it will infect your system in the following way:

It will create a file %SYSTEM%\megatron.ini. Then it copies itself to %SYSTEM%\imglog.exe. It will send a mail trough smtp.tutopia.com.br to his creators that a system got infected.

It will search for various files(other malwares too) on your computer and rename them.(SSH2.dll, gbieh.gmd, gbiehcef.dll...) Then it will create %WINDIR%\ponto.dll(text file) with the name of the files wich should be renamed.

Adds %SYSTEM%\imglog.exe copy at startup by creating the following registry entry:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • SymantecFilterCheck -> C:\WINDOWS\system32\imglog.exe

After this it will create the following registry entries:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

    • Embedded Web Browser from: http://bsalsa.com/

When running, the virus repetedly checks using DDE(Dynamic Data Exchange) the presence of a running Internet Explorer(CreateProcessInternal,getwindowInfo). If found, the virus checks for banking URLs and displays a fake web browser window trying to persuade the user to introduce login data. The malware uses as webbrowser bsalsa's embedded webbrowser.

The malware was written in delphi, it is packed with aspack and themida protector.

The language of the malware's fake web browser interface is brazil, and this malware steals login information from brazilian bank "Banco Real"(http://www.bancoreal.com.br).