Results 1 to 3 of 3

Thread: Trojan monitoring almost every browser

  1. #1

    Trojan monitoring almost every browser

    I've been seeing an increasing number of infections by this trojan.
    It seems to monitor Chrome, Firefox, Safari and IE to steal bank account informations.
    In case anyone's interested in analyzing it, I'll post it here.

    Passsword: malware
    Attached Files Attached Files

  2. #2

    Thumbs up

    Not Opera ? \0/

    EDIT:Wow it is quite nasty... It is detected as Trojan.Win32.Cosmu.faz by KAV, it's in watch list since two days.

    Your file is packed with UPX, it contains 18 imports and numerous functions, analysis made the debugger crap its pants and my VM to BSOD..
    There is a resident binary called "services" which is also running a child called "jqs", the latter one is dropped in Local Settings\Temp, the first one is detected, not the latter one.
    It is dropping some files on system32 and all...

    It is querying google.com.br, then happymod.info
    On this one it is GETting four files "flexds10.a,house10.a,total10.pmk,view25.a" which are XORed binaries, also packed with UPX. They all seem to contain the same code.

    It also query contabilizando.webcindario.com/acesso.php with information about your infected computer (windows version, user name, ip address and port). This PHP code is exploitable btw.

    Some anon example from the root dir list:
    ###WinVista # 8 # 10071677 # ANASALES-PC # # 72.218.XXX.222 # 49X90 # 2009-12-14 # 21:09:04
    FF ####WinXP # 6 # 32962726 # MAQUINA09 # # 189.104.X.116 # XXX9 # 2009-12-14 # 21:09:28
    ###WinVista # 8 # 22852820 # JAQUELINEXXX # # 2XX.144.1X.74 # XX644 # 2009-12-14 # 21:11:57

    EDIT2:http://www.threatexpert.com/report.aspx?md5=2acca2a8316782af9d0892e679f7594a some additionnal infos for you guys.

    This is a courtesy of Brasil =)


    Thanks to MAD° guys for the side by side analysis

    ° http://mad.internetpol.fr/ - [FR]
    Last edited by Silkut; December 17th, 2009 at 20:06. Reason: addendum
    Please consider donating to help Woodmann.com staying online (here is why).
    Any amount greatly appreciated. Thank you.

  3. #3
    A variant described on Trend Micro's blog.
    http://blog.trendmicro.com/banker-scams-new-spam-victims/
    Please consider donating to help Woodmann.com staying online (here is why).
    Any amount greatly appreciated. Thank you.

Similar Threads

  1. Stop browser window opening
    By mint77 in forum The Newbie Forum
    Replies: 2
    Last Post: September 12th, 2013, 20:24
  2. New feature in IDA 6.2: The proximity browser
    By Hex Blog in forum Blogs Forum
    Replies: 0
    Last Post: August 9th, 2011, 05:17
  3. Can Olly load/run a web browser loaded app?
    By QuanSu in forum OllyDbg Support Forums
    Replies: 4
    Last Post: July 21st, 2007, 12:23
  4. Devpartner7 vs. web browser performance?
    By _Servil_ in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: December 5th, 2002, 03:46
  5. help with juno browser
    By XonioX in forum Malware Analysis and Unpacking Forum
    Replies: 10
    Last Post: December 7th, 2001, 09:20

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •