Home / malwarePDF  

Trojan.Banker.Delf.ZRD


First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Trojan.Banker.Delf.ZRD.

Explanation :

Application tricks users into thinking that it is a legitimate application which allows them to login to Bradesco banking account. After first try of authentication, if application validates users steps, it displays a message that informs users that their banking account is going to expire within 5 days from that moment on, and it is highly recommended to renew account informations.

Also, the application refuses to close itself using normal methods, insisting upon account renewal.

If the next 3 steps also succed, the application tries to connect to http://web67.f1.k8.com.br (187.16.23.161) sending 3 packets with length of 252 bytes, 2127 bytes and 186 bytes, using sockets connections on local port 1085 and also proxy forwarding with an entire branch of logins implying usernames and passwords to make difficult tracking.

domain: k8.com.br
owner: Digirati Informática, serviços e telecomunicações (332944)

In last two packets previously described, the application encodes in base64 format sets of data collected from user's PC and POST them to http://www.repuxo.com/gol/index.php

Last update 21 November 2011

 

TOP