Home / malware Trojan.Spy.Banker.ABGS
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Spy.Banker.ABGS is also known as Trojan.Win32.Scar.xqq, Suspect-1D!A0565B91EDEA, a, variant, of, Win32/Packed.Themida, Generic_c.ACQQ, Win32:Rootkit-gen.
Explanation :
This malware got an internet explorer icon.
When runs this malware checks if SOFTICE is installed on your system, if installed then the computer will not be infected, else it will infect your system in the following way:
It will create a file %SYSTEM%megatron.ini. Then it copies itself to %SYSTEM%imglog.exe. It will send a mail trough smtp.tutopia.com.br to his creators that a system got infected.
It will search for various files(other malwares too) on your computer and rename them.(SSH2.dll, gbieh.gmd, gbiehcef.dll...) Then it will create %WINDIR%ponto.dll(text file) with the name of the files wich should be renamed.
Adds %SYSTEM%imglog.exe copy at startup by creating the following registry entry:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSymantecFilterCheck -> C:WINDOWSsystem32imglog.exe
After this it will create the following registry entries:
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsUser AgentPost Platform
Embedded Web Browser from: http://bsalsa.com/
When running, the virus repetedly checks using DDE(Dynamic Data Exchange) the presence of a running Internet Explorer(CreateProcessInternal,getwindowInfo). If found, the virus checks for banking URLs and displays a fake web browser window trying to persuade the user to introduce login data. The malware uses as webbrowser bsalsa's embedded webbrowser.
The malware was written in delphi, it is packed with aspack and themida protector.
The language of the malware's fake web browser interface is brazil, and this malware steals login information from brazilian bank "Banco Real"(http://www.bancoreal.com.br).Last update 21 November 2011