Log in

View Full Version : Trojan monitoring almost every browser


Cthulhu
December 17th, 2009, 14:21
I've been seeing an increasing number of infections by this trojan.
It seems to monitor Chrome, Firefox, Safari and IE to steal bank account informations.
In case anyone's interested in analyzing it, I'll post it here.

Passsword: malware

Silkut
December 17th, 2009, 14:50
Not Opera ? \0/

EDIT:Wow it is quite nasty... It is detected as Trojan.Win32.Cosmu.faz by KAV, it's in watch list since two days.

Your file is packed with UPX, it contains 18 imports and numerous functions, analysis made the debugger crap its pants and my VM to BSOD..
There is a resident binary called "services" which is also running a child called "jqs", the latter one is dropped in Local Settings\Temp, the first one is detected, not the latter one.
It is dropping some files on system32 and all...

It is querying google.com.br, then happymod.info
On this one it is GETting four files "flexds10.a,house10.a,total10.pmk,view25.a" which are XORed binaries, also packed with UPX. They all seem to contain the same code.

It also query contabilizando.webcindario.com/acesso.php with information about your infected computer (windows version, user name, ip address and port). This PHP code is exploitable btw.

Some anon example from the root dir list:
Quote:
###WinVista # 8 # 10071677 # ANASALES-PC # # 72.218.XXX.222 # 49X90 # 2009-12-14 # 21:09:04
FF ####WinXP # 6 # 32962726 # MAQUINA09 # # 189.104.X.116 # XXX9 # 2009-12-14 # 21:09:28
###WinVista # 8 # 22852820 # JAQUELINEXXX # # 2XX.144.1X.74 # XX644 # 2009-12-14 # 21:11:57



EDIT2:http://www.threatexpert.com/report.aspx?md5=2acca2a8316782af9d0892e679f7594a some additionnal infos for you guys.

This is a courtesy of Brasil =)


Thanks to MAD° guys for the side by side analysis

° http://mad.internetpol.fr/ - [FR]

Silkut
January 14th, 2010, 06:31
A variant described on Trend Micro's blog.
http://blog.trendmicro.com/banker-scams-new-spam-victims/