Weekly malware report – MSN Messenger worm and Bank trojans
This week’s PandaLabs’ report focuses on the Bankey.A, BankFake.A, Ketawa.A and the Opticibot.A Trojans and informs about Braban.F, a worm that spreads through MSN Messenger.
BanKey.A and BankFake.A have similar characteristics. Both banker Trojans display a spoof online banking screen and offer users the possibility of entering their bank details (account numbers, passwords,-¦). If users enter the information, it is immediately sent by email to the malware creators.
However, they differ in the way data is sent. BankFake.A uses a secure SMTP connection through port 465 and sends out encrypted data. BanKey.A, however, sends data to a Gmail account, using a template designed by the Trojan itself.
To ensure users do not suspect the fraud, once the information is stolen, the malicious codes display an error message apologizing for service disruption. To make the deceit more credible, BankFake.A redirects users to the bank’s legitimate website.
Both malicious codes can be distributed by email and are installed on computers under the guise of a Windows Internet Explorer shortcut. Finally, BankFake.A is also downloaded onto computers by the Downloader.OPY Trojan.
The Ketawa.A Trojan can reach users by email or as part of an Internet download. When run, the file opens a browser window with a joke in Indonesian in a similar way to some spam messages.
This Trojan modifies the Windows registry to make sure it is run every time the system restarts. It also creates some hidden files and modifies registry entries to conceal the changes it makes.
Opticibot.A is a “password stealer’ Trojan which uses rootkit techniques to hide the files and registry entries it creates. This way, it tries to go undetected by security solutions.
One of these registry entries ensures that it is run on every system restart. It also tries to connect to a web page to download malware or other malicious files.
“These four malicious codes are related to the new financially-oriented malware dynamic. Trojans are ideal tools for this purpose since they allow cyber-crooks to obtain plenty of confidential data more silently than other techniques,” summarizes Luis Corrons, Technical Director of PandaLabs.
The Braban.F worm spreads through MSN Messenger by sending a link to all the infected user’s contacts. The link is sent together with a text in Portuguese prompting users to click on it. If they do, they will be downloading copies of the worm.
The link also redirects users to a Brazilian web page, which asks for users’ consent to run a file. If they accept, they will be redirected to a page in Russian which will show a picture of a girl with a camera. While this occurs, users will be infected with the Banbra.EJX banker Trojan, the Nabload.BJG Trojan and the Braban.F worm.