This week’s trojans: Banker.HIK, Wsnpoem.AW and Dadlam.A

Banker.HIK belongs to the increasingly widespread “banker Trojan’ malware category, and is specially designed to steal information entered in online applications, mainly those of Brazilian banks, such as Banco do Brasil or CEF.  It does this by displaying false screens where users enter their banking details which the Trojan will then have at its disposal.

Banker.HIK also monitors the traffic generated on certain web pages, increasing its scope to gain more user data. This Trojan copies itself in the “Start” Windows folder as logon.exe, which makes the Trojan run every time the computer is rebooted. One of Banker.HIK’s traits is that it shows a “Socket Error # 11004” message, making it easier to detect.

The second Trojan in the report, Wsnpoem.AW, also steals passwords. This malicious code deletes all the cookies on the computer to make users type the web addresses it will access in the address bar again.

Wsnpoem.AW also makes changes and creates certain files in the registry and in the Windows start directory, so it runs every time the computer is restarted. This Trojan creates the “__SYSTEM__64AD0625__” mutex, an in-memory process which does not allow two copies to run at the same time.

Dadlam.A is another Trojan in this week’s report. It is a keylogger Trojan which poses a moderate risk to computers. The Trojan hides in a video file icon and shows a video with sexual content to distract the user. In addition, Dadlam.A modifies the boot.ini file and creates a task that makes the computer reboot at 6:00.

The main threat Dadlam.A poses is that it drops two malicious programs. The first, IRCbot.ASM, acts as a backdoor, scanning all the computer ports to know which of them are easiest to enter. The second, Downloader.OBW, downloads other types of malware on the compromised computer.

Dadlam.A cannot spread by its own means, it requires users’ actions and enters the system through common channels, whether it is downloaded by another malware or from a malicious web page.


Share this