Full Disclosure mailing list archives
RE: "New" Brazilian Home Banking Trojan
From: "Randal, Phil" <prandal () herefordshire gov uk>
Date: Tue, 13 Sep 2005 18:06:30 +0100
http://www.virustotal.com says: AntiVir 6.32.0.3 09.13.2005 no virus found Avast 4.6.695.0 09.12.2005 no virus found AVG 718 09.13.2005 no virus found Avira 6.32.0.3 09.13.2005 no virus found BitDefender 7.0 09.02.2005 no virus found CAT-QuickHeal 8.00 09.12.2005 no virus found ClamAV devel-20050725 09.13.2005 Trojan.Spy.Banker-94 DrWeb 4.32b 09.13.2005 no virus found eTrust-Iris 7.1.194.0 09.13.2005 no virus found eTrust-Vet 11.9.1.0 09.13.2005 no virus found Fortinet 2.41.0.0 09.07.2005 no virus found F-Prot 3.16c 09.13.2005 no virus found Ikarus 0.2.59.0 09.13.2005 Trojan-Spy.Win32.Bancos.JU Kaspersky 4.0.2.24 09.13.2005 Trojan-Spy.Win32.Banker.ju McAfee 4580 09.13.2005 no virus found NOD32v2 1.1215 09.13.2005 a variant of Win32/Spy.Banker.VJ Norman 5.70.10 09.13.2005 no virus found Panda 8.02.00 09.13.2005 no virus found Sophos 3.97.0 09.13.2005 no virus found Symantec 8.0 09.13.2005 no virus found TheHacker 5.8.2.105 09.12.2005 no virus found VBA32 3.10.4 09.12.2005 MalwareScope.Trojan-Spy.Banker.43 Cheers, Phil ---- Phil Randal Network Engineer Herefordshire Council Hereford, UK
-----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Pedro Hugo Sent: 13 September 2005 17:03 To: full-disclosure () lists grok org uk Subject: [Full-disclosure] "New" Brazilian Home Banking Trojan Hello, I'm receiving an homebanking trojan from Brazil. The email is disguised as a patch for Orkut Bad Server and Errors. The download location is at http://69.57.154.130/~arquivo/orkut-patch.exe . AVG detects it, Norton doesn't. Didn't had the opportunity to test with other AV. Some quick notes about this one: - It's packed with PECOMPACT 2.x. It can easily be unpacked with Olly, using the PECOMPACT scripts (www.openrce.org for example) and Ollydump. - You can extract a few Jpeg's from the unpacked binary. It confirms it tries to attack homebanking accounts. - Strings reveals some 4 or 5 banks addresses. - Seems to be coded in Delphi. - It appears to email the stolen accounts to 2 accounts. At least they are in the code. I think it should be interesting for Malware Reverse Engineering practice. No much spare time at the moment to give a look at it, so no much details. It could be useful to AV vendors, since I'm not sure it's being detected by all. I thought it was a new one in the wild, until I tested with AVG :( Best Regards, Pedro Hugo P.S.: The first copy arrived 3 weeks ago, and today I have received two more. If you want the original email, I can forward it. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- "New" Brazilian Home Banking Trojan Pedro Hugo (Sep 13)
- <Possible follow-ups>
- RE: "New" Brazilian Home Banking Trojan Randal, Phil (Sep 13)
- RE: "New" Brazilian Home Banking Trojan Randal, Phil (Sep 13)