Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: "New" Brazilian Home Banking Trojan

From: "Randal, Phil" <prandal () herefordshire gov uk>
Date: Tue, 13 Sep 2005 18:06:30 +0100
http://www.virustotal.com says:

AntiVir 6.32.0.3        09.13.2005      no virus found
Avast   4.6.695.0       09.12.2005      no virus found
AVG     718     09.13.2005      no virus found
Avira   6.32.0.3        09.13.2005      no virus found
BitDefender     7.0     09.02.2005      no virus found
CAT-QuickHeal   8.00    09.12.2005      no virus found
ClamAV  devel-20050725  09.13.2005      Trojan.Spy.Banker-94
DrWeb   4.32b   09.13.2005      no virus found
eTrust-Iris     7.1.194.0       09.13.2005      no virus found
eTrust-Vet      11.9.1.0        09.13.2005      no virus found
Fortinet        2.41.0.0        09.07.2005      no virus found
F-Prot  3.16c   09.13.2005      no virus found
Ikarus  0.2.59.0        09.13.2005      Trojan-Spy.Win32.Bancos.JU
Kaspersky       4.0.2.24        09.13.2005
Trojan-Spy.Win32.Banker.ju
McAfee  4580    09.13.2005      no virus found
NOD32v2 1.1215  09.13.2005      a variant of Win32/Spy.Banker.VJ
Norman  5.70.10 09.13.2005      no virus found
Panda   8.02.00 09.13.2005      no virus found
Sophos  3.97.0  09.13.2005      no virus found
Symantec        8.0     09.13.2005      no virus found
TheHacker       5.8.2.105       09.12.2005      no virus found
VBA32   3.10.4  09.12.2005      MalwareScope.Trojan-Spy.Banker.43

Cheers,

Phil

----
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  


-----Original Message-----
From: full-disclosure-bounces () lists grok org uk 
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf 
Of Pedro Hugo
Sent: 13 September 2005 17:03
To: full-disclosure () lists grok org uk
Subject: [Full-disclosure] "New" Brazilian Home Banking Trojan

Hello,
I'm receiving an homebanking trojan from Brazil. The email is 
disguised as a patch for Orkut Bad Server and Errors.
The download location is at 
http://69.57.154.130/~arquivo/orkut-patch.exe .
AVG detects it, Norton doesn't. Didn't had the opportunity to 
test with other AV.

Some quick notes about this one:
- It's packed with PECOMPACT 2.x. It can easily be unpacked 
with Olly, using the PECOMPACT scripts (www.openrce.org for 
example) and Ollydump.
- You can extract a few Jpeg's from the unpacked binary. It 
confirms it tries to attack homebanking accounts.
- Strings reveals some 4 or 5 banks addresses.
- Seems to be coded in Delphi.
- It appears to email the stolen accounts to 2 accounts. At 
least they are in the code.

I think it should be interesting for Malware Reverse 
Engineering practice.
No much spare time at the moment to give a look at it, so no 
much details. 

It could be useful to AV vendors, since I'm not sure it's 
being detected by all. I thought it was a new one in the 
wild, until I tested with AVG :(

Best Regards,
Pedro Hugo

P.S.: The first copy arrived 3 weeks ago, and today I have 
received two more.
If you want the original email, I can forward it.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: