| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580843E9BD@isabella.herefordshire.gov.uk> Date: Tue Sep 13 18:05:24 2005 From: prandal at herefordshire.gov.uk (Randal, Phil) Subject: "New" Brazilian Home Banking Trojan >From http://virusscan.jotti.org: AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found Trojan.Spy.Banker-94 Dr.Web Found nothing F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found Trojan-Spy.Win32.Banker.ju NOD32 Found a variant of Win32/Spy.Banker.VJ Norman Virus Control Found nothing UNA Found nothing VBA32 Found MalwareScope.Trojan-Spy.Banker.43 Still waiting for http://www.virustotal.com to return a result... I've also submitted it to McAfee's http://www.webimmune.net and http://malwareupload.com Cheers, Phil ---- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: full-disclosure-bounces@...ts.grok.org.uk > [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf > Of Pedro Hugo > Sent: 13 September 2005 17:03 > To: full-disclosure@...ts.grok.org.uk > Subject: [Full-disclosure] "New" Brazilian Home Banking Trojan > > Hello, > I'm receiving an homebanking trojan from Brazil. The email is > disguised as a patch for Orkut Bad Server and Errors. > The download location is at > http://69.57.154.130/~arquivo/orkut-patch.exe . > AVG detects it, Norton doesn't. Didn't had the opportunity to > test with other AV. > > Some quick notes about this one: > - It's packed with PECOMPACT 2.x. It can easily be unpacked > with Olly, using the PECOMPACT scripts (www.openrce.org for > example) and Ollydump. > - You can extract a few Jpeg's from the unpacked binary. It > confirms it tries to attack homebanking accounts. > - Strings reveals some 4 or 5 banks addresses. > - Seems to be coded in Delphi. > - It appears to email the stolen accounts to 2 accounts. At > least they are in the code. > > I think it should be interesting for Malware Reverse > Engineering practice. > No much spare time at the moment to give a look at it, so no > much details. > > It could be useful to AV vendors, since I'm not sure it's > being detected by all. I thought it was a new one in the > wild, until I tested with AVG :( > > Best Regards, > Pedro Hugo > > P.S.: The first copy arrived 3 weeks ago, and today I have > received two more. > If you want the original email, I can forward it. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
Powered by blists - more mailing lists