Home / malwarePDF  

TrojanSpy:Win32/Bafi


First posted on 08 April 2013.
Source: Microsoft

Aliases :

TrojanSpy:Win32/Bafi is also known as Win32/Spy.Banker.YID trojan (ESET), Trojan-Spy.Win32.Farko.nd (Kaspersky).

Explanation :



Installation

Trojans in this family are downloaded within a file that looks like an Adobe PDF Reader link helper, for example, "AcroIEHelper.dll".

In Internet Explorer the file is called "AcroIEHelpe<random number>.dll" and is downloaded to the "<system folder>" folder. For example, "<system folder>\AcroIEHelpe9.dll".

In Firefox the file is called "AcroFF<random number>.dll" and is downloaded to either of the following:

  • %APPDATA%\<random number>\
  • <system folder> \<random number>\


For example, "%APPDATA%\4\ AcroFF7.dll".

Members of this family can also drop a component to stop the trojan from being removed from the registry. For example, "<system folder>/BAcroIEHelpe<number>.dll".

TrojanSpy:Win32/Bafi stores stolen information in a folder created within "<system folder>", for example "<system folder>\xmldm\"

It stores this information in a log file. The file name is a random number with one of the following extensions:

  • .key
  • .clb
  • .psl
  • .pst
  • .htm
  • .dat


The trojan modifies the following registry entry to ensure that its copy runs at each Windows start:

In subkey: HKLM\SOFTWARE\Classes\CLSID\<CLSID>\InProcServer32
Sets value: "<default>"
With data: "<malware folder and file name>"

In subkey: HKLM\SOFTWARE\Classes\CLSID\<CLSID>
Sets value: "<default>"
With data: "0"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\<CLSID>
Sets value: "<default>"
With data: "<value not set>"

In Firefox it installs itself as a plugin with the name "Java String Helper" and modifies the following registry entries:

In subkey: HKCU\Software\Mozilla\Firefox\extensions
Sets value: "<CLSID>"
With data: "<system folder>\<random number>"

In subkey: HKLM\SOFTWARE\Mozilla\Firefox\extensions
Sets value: "<CLSID>"
With data: "<system folder>\<random number>"

Payload

Steals passwords and other information

TrojanSpy:Win32/Bafi waits for the user to visit a website that has any of the following text in its URL:

  • accounts.google.com/ServiceLoginAuth
  • auth.freenet.de/portal/login.php
  • BANK
  • bankofamerica
  • COMDIRECT
  • desk.net-temps.com/login.html
  • employer.dice.com/login_r.epl
  • facebook.com/login.php
  • FIDUCIA.DE
  • google
  • hotmail
  • live.com
  • login.1und1.de/xml/
  • login.live.com/ppsecure/post.srf
  • login.web.de/intern/login
  • login.yahoo.com/
  • losangeles.jobing.com/recruiting
  • mail.yahoo.com/neo/launch?
  • microsoft
  • my.screenname.aol.com/_cqr/login/login
  • netbank.danskebank.dk/HB?
  • PASSPORT
  • PTLWEB/WEBPORTAL
  • service.gmx
  • skype
  • webmailcluster.1und1.de/xml
  • www.arcor.de/login/login.jsp
  • www.beyond.com/EMP/Login/Action/Login.asp
  • www.careercast.com/careers/user/setCredentials
  • www.credit-agricole.fr/
  • www.washingtonpost.com/wl/jobs/EmployerUserServlet
  • yahoo.com


When one of these sites is visited, the trojan tries to capture your login details, such as your username and password. It can copy your keystrokes, mouse clicks and clipboard data to a data file that can be accessed later by other TrojanSpy:Win32/Bafi components and sent to a remote server.

Additional information

This family also creates a mutex named "Adobe_PDF_Rdr_Hlpr_Mtx", possibly as an infection marker to prevent multiple instances running on your computer.

We have seen variants of this family using the following CLSIDs:

  • 522AAEF4-58F1-4198-B04B-866ACC37284A
  • 8BBE6A70-EF84-47FA-B5DE-EDD0DF18461F
  • C0F1636E-13A8-4C84-BB11-774BE45E1F83
  • C689C99E-3A8C-4C87-A79C-C80DC9C81632
  • CB242D42-1C23-41F7-BC94-3AEB0EC80CAC
  • DD31495E-290C-41CF-8C66-7415383F82DE
  • EFF39A40-C163-4D5D-B073-52FBB55C646A




Analysis by Alden Pornasdoro

Last update 08 April 2013

 

TOP

Malware :