Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
RE: [Full-disclosure] "New" Brazilian Home Banking Trojan
From: Randal, Phil (prandalherefordshire.gov.uk)
Date: Tue Sep 13 2005 - 12:06:30 CDT
AntiVir 126.96.36.199 09.13.2005 no virus found
Avast 4.6.695.0 09.12.2005 no virus found
AVG 718 09.13.2005 no virus found
Avira 188.8.131.52 09.13.2005 no virus found
BitDefender 7.0 09.02.2005 no virus found
CAT-QuickHeal 8.00 09.12.2005 no virus found
ClamAV devel-20050725 09.13.2005 Trojan.Spy.Banker-94
DrWeb 4.32b 09.13.2005 no virus found
eTrust-Iris 184.108.40.206 09.13.2005 no virus found
eTrust-Vet 220.127.116.11 09.13.2005 no virus found
Fortinet 18.104.22.168 09.07.2005 no virus found
F-Prot 3.16c 09.13.2005 no virus found
Ikarus 0.2.59.0 09.13.2005 Trojan-Spy.Win32.Bancos.JU
Kaspersky 22.214.171.124 09.13.2005
McAfee 4580 09.13.2005 no virus found
NOD32v2 1.1215 09.13.2005 a variant of Win32/Spy.Banker.VJ
Norman 5.70.10 09.13.2005 no virus found
Panda 8.02.00 09.13.2005 no virus found
Sophos 3.97.0 09.13.2005 no virus found
Symantec 8.0 09.13.2005 no virus found
TheHacker 126.96.36.199 09.12.2005 no virus found
VBA32 3.10.4 09.12.2005 MalwareScope.Trojan-Spy.Banker.43
> -----Original Message-----
> From: full-disclosure-bounceslists.grok.org.uk
> [mailto:full-disclosure-bounceslists.grok.org.uk] On Behalf
> Of Pedro Hugo
> Sent: 13 September 2005 17:03
> To: full-disclosurelists.grok.org.uk
> Subject: [Full-disclosure] "New" Brazilian Home Banking Trojan
> I'm receiving an homebanking trojan from Brazil. The email is
> disguised as a patch for Orkut Bad Server and Errors.
> The download location is at
> http://188.8.131.52/~arquivo/orkut-patch.exe .
> AVG detects it, Norton doesn't. Didn't had the opportunity to
> test with other AV.
> Some quick notes about this one:
> - It's packed with PECOMPACT 2.x. It can easily be unpacked
> with Olly, using the PECOMPACT scripts (www.openrce.org for
> example) and Ollydump.
> - You can extract a few Jpeg's from the unpacked binary. It
> confirms it tries to attack homebanking accounts.
> - Strings reveals some 4 or 5 banks addresses.
> - Seems to be coded in Delphi.
> - It appears to email the stolen accounts to 2 accounts. At
> least they are in the code.
> I think it should be interesting for Malware Reverse
> Engineering practice.
> No much spare time at the moment to give a look at it, so no
> much details.
> It could be useful to AV vendors, since I'm not sure it's
> being detected by all. I thought it was a new one in the
> wild, until I tested with AVG :(
> Best Regards,
> Pedro Hugo
> P.S.: The first copy arrived 3 weeks ago, and today I have
> received two more.
> If you want the original email, I can forward it.
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/