Home / malwarePDF  

Trojan:Win32/Spycos.B


First posted on 08 April 2013.
Source: Microsoft

Aliases :

Trojan:Win32/Spycos.B is also known as PSW.Banker6.AQFT (AVG), TR/Spy.677888.28 (Avira), Win32/Spy.Banker.ZAO trojan (ESET), Trojan-PWS.Banker6 (Ikarus).

Explanation :



Installation

Trojan:Win32/Spycos.B usually arrives as a DLL file that is dropped or downloaded by other Win32/Spycos malware.

The file is usually placed in the %USERPROFILE% or %TEMP% folder.

The file name used may vary. In the wild, we've seen the following file names being used:

  • 3dvision_280.dll
  • acompanhantes.cpl
  • adobe.cpl
  • adober00392.cpl
  • adobeupdate.dll
  • adobwind1.cpl
  • album0308i.cpl
  • askbar14.dll
  • asktb.dll
  • asktbarx.dll
  • asktool.dll
  • audiosrv0372.cpl
  • authui.dll
  • autorungui.dll
  • auxiliarydisplaydriverlib.dll
  • bitsprx2.dll
  • blbevents.cpl
  • bthci.dll
  • bthmtpcontexthandler.dll
  • capesnpn.dll
  • catralbet.cpl
  • certprop.dll
  • chequespagos.cpl
  • choiseguard.dll
  • chromme.dll
  • chronme.dll
  • colbact.dll
  • comdllg32.dll
  • comdllgw32.dll
  • comprovante.cpl
  • comrepl.dll
  • d3dim.dll
  • dc<random characters>.cpl
  • dc<random characters>.dll
  • defragsvc.dll
  • dissolveanother.cpl
  • downloadsfree.cpl
  • dxmasf.dll
  • fotos.cpl
  • gbiehabnn.dll
  • iedvtool32.dll
  • iertutil.dll
  • img<random characters>jpg.cpl
  • infosapi.dll
  • inter.dll
  • iphlpsvc.dll
  • irclass.dll
  • irpf2012.dll
  • jarivalwindate.cpl
  • javawind.cpl
  • javaww.cpl
  • javw.cpl
  • kbdca.dll
  • kbdinmal.dll
  • kbdinpun.dll
  • kbdit142.dll
  • language32.dll
  • mciqtz32.dll
  • mensagem.cpl
  • mfc90ud.dll
  • ministeriocmv.cpl
  • mmcndmgr.dll
  • modulo.dll
  • mpcmdrun.cpl
  • msdadiag.dll
  • msgina.dll
  • msieftp.dll
  • msobjs.dll
  • msports.dll
  • musictop.cpl
  • netfxrepair1025.dll
  • nlslexicons0027.dll
  • nv3dvision.dll
  • nvdvision.dll
  • odtext32.dll
  • ole.dll
  • olepro32.dll
  • particular_fotos.jpg.cpl
  • pguard.cpl
  • prntvpt.dll
  • qmgr.dll
  • rdpwsx.dll
  • regidle.dll
  • rpchttp.dll
  • sample0810_1727.dll
  • scpsssh3.cpl
  • snmpmib.dll
  • sonyhdm1.cpl
  • sorentsw32.dll
  • ssl.dll
  • tlscsp.dll
  • toolbar.dll
  • toplist.cpl
  • topmusicas.cpl
  • trz<random characters>.tmp
  • txflog.dll
  • vistalib32_1.dll
  • visualiza.zip
  • visualizar.cpl
  • wevtfwd.dll
  • windhatersoc.cpl
  • windlatersoc.cpl
  • windoows_<random characters>.cpl
  • windwsz.cpl
  • winpox212.cpl
  • winsoew.cpl
  • wlanmm.dll
  • wmpcm.dll
  • wmploc.dll
  • wmvsencd.dll
  • workflowtargets.cpl
  • wuapi.dll
  • xactengine2_9.dll
  • xsharing.cpl
  • xwizards.dll


It is usually installed as a BHO and may create the following registry entries:

In subkeys:
HKCR\CLSID\<random CLSID>
HKLM\SOFTWARE\Classes\CLSID\<random CLSID>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\<random CLSID>
Sets value: "@"
With data: "<BHO name>"

In subkeys:
HKCR\CLSID\<random CLSID>\InprocServer32
HKLM\SOFTWARE\Classes\CLSID\<random CLSID>\InprocServer32
Sets value: <DLL path and file name>"

where <BHO name> might be any of the following:

  • Adobe Flash Player
  • Adobe Flash Player Helper
  • Adobe Macromedia Incorporated
  • Adobe PDF Link
  • Adobe PDF Link Helper
  • Ask Toolbar
  • Microsoft Windows Explorer
  • Scripting.Dictionary
  • Shockwave Flash Object
  • Windows Internet Explorer
  • XML DOM Document 3.0
  • ® Microsoft Windows


Payload

Steals online banking information

It checks if you visit any of the following websites:

  • bancobrasil.com.br
  • internetbanking.caixa.gov.br
  • santandernet.com.br


If you do, this malware redirects your browser to a fake login page that looks similar to the original bank website, for example:

If you try to visit "internetbanking.caixa.gov.br", your browser first displays a page that says "Loading...":



Then it loads the fake website:



We have observed this malware redirecting to the following fake banking websites:

  • bd.qwkoqs.com:8080
  • query.beginworkagain.com
  • ssl.securityverif.com
  • wan.msdpan.com
  • www.recapneusp.com:8080
  • www.sportnobew.com:8080


Lowers computer security

It disables your computer's LUA (Least Privileged User Account) by changing the following registry entry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"

It also deletes or stops the following security-related services using sc.exe:

  • aswUpdSv
  • avast! Mail Scanner
  • avast! Web Scanner
  • avg9wd
  • AVGIDSAgent
  • AVGWD




Analysis by Ricardo Robielos

Last update 08 April 2013

 

TOP

Malware :

Family: