RE: [Full-disclosure] "New" Brazilian Home Banking Trojan
From: Randal, Phil (prandal_at_herefordshire.gov.uk)
Date: 09/13/05
- Previous message: Pedro Hugo: "[Full-disclosure] "New" Brazilian Home Banking Trojan"
- Maybe in reply to: Pedro Hugo: "[Full-disclosure] "New" Brazilian Home Banking Trojan"
- Next in thread: Randal, Phil: "RE: [Full-disclosure] "New" Brazilian Home Banking Trojan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: phugo@highspeedweb.net, full-disclosure@lists.grok.org.uk Date: Tue, 13 Sep 2005 18:04:34 +0100
>From http://virusscan.jotti.org:
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found Trojan.Spy.Banker-94
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Spy.Win32.Banker.ju
NOD32 Found a variant of Win32/Spy.Banker.VJ
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found MalwareScope.Trojan-Spy.Banker.43
Still waiting for http://www.virustotal.com to return a result...
I've also submitted it to McAfee's http://www.webimmune.net and
http://malwareupload.com
Cheers,
Phil
---- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: full-disclosure-bounces@lists.grok.org.uk > [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf > Of Pedro Hugo > Sent: 13 September 2005 17:03 > To: full-disclosure@lists.grok.org.uk > Subject: [Full-disclosure] "New" Brazilian Home Banking Trojan > > Hello, > I'm receiving an homebanking trojan from Brazil. The email is > disguised as a patch for Orkut Bad Server and Errors. > The download location is at > http://69.57.154.130/~arquivo/orkut-patch.exe . > AVG detects it, Norton doesn't. Didn't had the opportunity to > test with other AV. > > Some quick notes about this one: > - It's packed with PECOMPACT 2.x. It can easily be unpacked > with Olly, using the PECOMPACT scripts (www.openrce.org for > example) and Ollydump. > - You can extract a few Jpeg's from the unpacked binary. It > confirms it tries to attack homebanking accounts. > - Strings reveals some 4 or 5 banks addresses. > - Seems to be coded in Delphi. > - It appears to email the stolen accounts to 2 accounts. At > least they are in the code. > > I think it should be interesting for Malware Reverse > Engineering practice. > No much spare time at the moment to give a look at it, so no > much details. > > It could be useful to AV vendors, since I'm not sure it's > being detected by all. I thought it was a new one in the > wild, until I tested with AVG :( > > Best Regards, > Pedro Hugo > > P.S.: The first copy arrived 3 weeks ago, and today I have > received two more. > If you want the original email, I can forward it. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
- Previous message: Pedro Hugo: "[Full-disclosure] "New" Brazilian Home Banking Trojan"
- Maybe in reply to: Pedro Hugo: "[Full-disclosure] "New" Brazilian Home Banking Trojan"
- Next in thread: Randal, Phil: "RE: [Full-disclosure] "New" Brazilian Home Banking Trojan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
Loading
