Malware City/Blog/

Jul
06
Filed Under:
WEEKLY REVIEW

Weekly Malware Review - Trojan.Spy.Banker.ABGS

06 July 2010
Written in Delphi and packed with Aspack and Themida, Trojan.Spy.Banker.ABGS comes hidden under an Internet Explorer icon.

 

1st Step – Scouting

The sly spy-banker is subtle and it really knows how to watch its back. Once it gets executed by the unwary user, its first “thought” is to check if SoftICE is running on the computer. And, if SoftICE’s installed, the computer will not be infected. Designed to run underneath Windows, SoftICE is a debugging application that is capable of suspending all operations in Windows (malware included) when so instructed. The banker is cautious.

2nd Step - Installation

Should SoftICE not be running on the system, then the infection is initiated: The malicious software creates a file called megatron.ini and placed inside the system folderwhich stores the banker’s settings. Afterwards, the banker creates a copy of itself in %SYSTEM%\imglog.exe, which means that the system is officially infected.

The banker adds %SYSTEM%\imglog.exe at startup by creating a new entry under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The infected executable (C:\WINDOWS\system32\imglog.exe) will have the name SymantecFilterCheck. Furthermore, another registry key is created: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform.

3rd Step – Establishing contact with the creator

Trojan.Spy.Banker.ABGS sends an e-mail to its herder using smtp.tutopia.com.br as the mail gateway. This message announces, in fact, that the respective computer is infected and that it is now part of the malicious defrauding system. 

4th Step – Cleaning the computer

The banker searches for other pieces of malware that might lurk on the system in order to rename them (for example: SSH2.dll, gbieh.gmd, gbiehcef.dll.) so as to prevent them from being initialized at the next system startup.Trojan.Spy.Banker.ABGS uses a text file disguised as a DLL, which holds the filenames to be looked up and renamed.

 5th Step – Final touch

While in operation, the virus searches for the presence of a running Internet Explorer instance which uses DDE (Dynamic Data Exchange). If such instance is found, the spy-banker checks for banking URLs it has been instructed to monitor and displays a fake web browser window that looks identical to the bank’s login system. Of course, if the user logs in, his/her credentials will actually land in the attacker’s inbox.

It is no secret that banker-Trojans spring mostly from Brazil and Trojan.Spy.Banker.ABGS is no exception to the rule.

The technical information in this article is available courtesy of BitDefender virus researcher Robert Szasz.





By Loredana Botezatu
Loredana sees in BitDefender a new challenge and a fresh approach to her professional development. Her enthusiasm, curiosity and, of course, lots of research, are some of the features that make her a competitive player in the security industry.

Related

29-06-2010 | Malware Review: Trojan.Keylogger.IStealer

18-06-2010 | Malware Review: Trojan.Renos.PGZ, the all in-one-wonder

12-05-2010 | Weekly Malware Review: Backdoor.Hamweq.Z

08-04-2010 | Weekly Malware Review: Practice makes perfect

Comments:

Kaylan said on Jul-13-2010 18:41

Any particular reason to write it in Delphi?

Loredana said on Jul-14-2010 05:20

Delphi allows programmers to create interface-based applications in less time. That's why it is called a RAD (rapid application development).

Dale said on Jan-13-2011 17:33

this was found on my computer by IObit security 360 and removed it strait away i also have avast antivirus and malwarebytes that did not detect it im so glad i discovered this as i often use online banking i have checked my bank details and account all ok thank god

mother of the bride dresses said on Aug-8-2011 05:31

I've heard that the virus searches for the presence of a running Internet Explorer instance which uses DDE (Dynamic Data Exchange). If such instance is found, the spy-banker checks for banking URLs it has been instructed to monitor and displays a fake web browser window that looks identical to the bank’s login system. It's a dangerous threat; thank you for pointing out how to remove it.

Plumber Bedfordshire said on Dec-22-2011 23:28

So interesting review.

Comment on this

Name:

Email:

Website:

Your email adress will not be published.