Bank web site monitoring trojan and a couple of other pests

Banker.FLO is a Trojan that monitors Internet traffic generated when the user accesses web pages related with the following online banks: Banco do Brasil, Bradesco, Itau y Santander Banespa. The Trojan logs keystrokes made when logging into these websites. It thereby captures the user names and passwords, which are sent by email to the creator of the malicious code.

Banker.FLO cannot spread automatically using its own means and therefore, needs an attacker to distribute it. Typically it is spread using floppy disks, peer-to-peer networks, email messages, Internet downloads, etc.This Trojan is difficult to detect as it does not display any type of message warning of its presence.

The other Trojan in today’s report is TnegA.A. This is a backdoor Trojan that connects to a server in order to provide remote access to infected computers, compromising confidentiality and preventing users from operating the computer normally.

This malicious code prevents users from accessing certain web pages, in particular those belonging to antivirus companies, it also prevents certain monitoring and configuration tools from running, such as Windows Registry Editor.

TnegA.A requires the intervention of an attacker in order to spread. As is typical in this type of malware, it can propagate on a range of media including CD-ROMs, Internet downloads or IRC channels.

The IrcBot.AIV has backdoor characteristics, as it connects to an IRC to receive remote commands and execute them on the computer on which it is hosted. To infect other systems, this worm installs its own FTP server on the infected computer.

IrcBot.AIV uses two means of propagation. Firstly, it creates copies of itself in shared network resources to which it has access. Alternatively, it spreads across the Internet exploiting the LSASS, RPC DCOM, and UPnP vulnerabilities. For this reason, it is advisable to download the security patches that fix these vulnerabilities from Microsoft’s website.

Today’s report closes with the WKSSVC malicious code, based on a vulnerability in the WKSSVC.DLL file on computers with Windows XP/2000.  If a computer is vulnerable to WKSSVC, it could allow hackers to run code remotely.
To fix this vulnerability, it is advisable to download and install the patch for the vulnerability in the Workstation Service, included in the Microsoft MS06-070 bulletin. 

Source: Panda Software




Share this