Discovered: July 17, 2003
Updated: July 19, 2003 5:15:34 PM
Also Known As: New Malware.j [McAfee], PWSteal.Bancos [Symantec]
Infection Length: 911,962 bytes and 258,048 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000
Upon execution, the Trojan displays the following message box:
Title: "BOOK COM AMOR"
If the user clicks "Continuar" in the message box, the Trojan creates the following files:
- %System%\Msvbvm60.dll
- %System%\Winmaxy.exe
After dropping the above files, the Trojan then executes itself.
Next, the Trojan creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"WinMenssage" = "%System%\winmaxy.exe"
The Trojan then searches for the following file:
C:\BancoBrasil\officeIE\officeIE.CAB
If the above file exists, the Trojan moves it to the following location:
C:\officeIE.CAB
The Trojan monitors active Internet Explorer windows. When the user visits a Web site that matches the characteristics of certain Brazilian banking sites, the Trojan displays a login screen for the site. The Trojan may then send the collected information to an FTP site that is predefined by the author.
Writeup By: Heather Shannon
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
