Trojan spreading and confidential information stealing malware
FormShared.A is a worm aimed at spreading the SpyForms.S Trojan across P2P file-sharing programs. To do this, FormShared.A uses its own P2P client. It creates a subfolder called SHARED in the Windows directory. This contains a series of files with false names in order to entice other users to download SpyForms.S voluntarily. These names include: 4SCREENS V3.19 BY MP2K.CZIP, 4T AV V1.8 CD-VERSION FOR PALMOS.CZIP, 4T PUBLICATION 1.2 FOR PALMOS.CZIP, or 4TEAM FOR MICROSOFT OUTLOOK 2002 V1.50.0202 RETAIL.CZIP.
Banker.FOH is a Trojan designed to steal confidential information, such as user names and passwords, from compromised computers. It does this by capturing keystrokes entered by the user, storing them and then sending them out by email. If Banker.FOH runs on a computer without an Internet connection, an error screen is displayed with the text: Socket Error # 11004.
As with most Trojans, Banker.FOH is not able to spread by itself, and therefore needs the intervention of a malicious user. The means of distribution used vary and include floppy disks, CD-ROMs, email messages with attachments, Internet download, files transferred via FTP, IRC channels, P2P file sharing networks, etc.
Finally, Banbra.DMW is a Trojan designed to steal confidential data from users of a well-known Brazilian bank. Interestingly, this is a “one-use’ malicious code which can only be run once on each computer it infects.
Every time it infects a computer, Banbra.DMW sends an email to the creator of the Trojan indicating the username and the time the computer was infected. Once has done this, it hijacks Internet Explorer and waits for the user to access the bank’s web page. Then, Banbra.DMW takes the user to a false web page -created by the Trojan itself- which is an imitation of the original page.
Finally, it compiles the stolen data and sends it out by email, allowing the attacker to commit identity theft and online fraud.