Malware report on BankFake.F trojan, MSNHideOptions and Grogotix worms

Panda Software’s weekly report on viruses and intruders

This week’s PandaLabs report looks at the BankFake.F Trojan, the two first variants of the MSNHideOptions worm and also the Grogotix.A worm.   

BankFake.F is a dangerous banker Trojan that affects nine financial entities. This malware, which can be distributed via email or infected Internet downloads, reaches computers with an icon of two small winged tortoises.

When its run, this Trojan accesses a web page and displays a photo. Meanwhile, it connects to two other addresses to download several compressed files, all packed with UPX.

These Trojan is designed to steal bank passwords. It works in the following way: when the user types the address in the browser of one of the banks targeted by BankFake.F, it closes the browser and runs an application corresponding to that particular bank. The application displays an image of the bank’s web page.
Once the confidential data has been entered, it is stored in .bsp or .cop. files. It periodically establishes connection with an FTP site to send the creator the information compiled.

In addition to bank passwords, BankFake.F is also designed to steal Hotmail account passwords. To do this, it displays an error message and asks you to enter your data again, although once again, it is not the real page but an application belonging to the Trojan.

Grogotix.A is a worm that creates six copies of itself on the system when it infects a computer. Every time the user accesses a folder, it creates a copy of itself under the name of the folder in the same directory and the one immediately above it. It also creates a copy of itself every time a file is run with the same name as the original one.

Grogotix.A modifies the host file, adding a text with a message supposedly signed by the creator of the worm stating that he hates his campus. This modification also prevents the user from accessing several web pages, all of them related to computer security companies. This modification is detected by Panda Software as Qhost.gen.

This worm also creates and modifies registry entries. One of these ensures that it is run on every system startup, while another makes several options in the Start menu disappear.

Grogotix.A is also designed to prevent several programs from running. It also hides some security solutions’ folders.

It tries to access an IRC network, connecting to several servers. If successful, it will use the connection to transmit information about the infected computer to its creator. It also sends random private messages to network users, with a range of texts and a link to download the malware. These texts include:

– $nick, free picture indonesia sex double klik url:
– aloo $nick mo liat artis majalah playboy indo?, double klik url:
– Bunga.C Dah Berani Bugil, Untuk liat Fotonya double klik url:
– 8 aloo $nick mo liat artis-artis indonesia nude, double klik url:
But the malicious action taken by Grogotix.A doesn’t end there. It also drops a web page on the system with a random five-character name and tries to use a script to download a malicious file.

This week, PandaLabs has also discovered the A and B variants of the MSNHideOptions worms. Although the previous code tries to slip by unnoticed, these seem to want to be seen. As soon as they are run on a computer, they show users a couple of messages in Spanish. And one of those is an insult.

Other malicious action carried out by these worms include creating a file called “Mis Contactos”, in which all addresses of contacts in the users mail program are stored. They also hide certain applications on the Windows Start bar, including Run, Search, Help, etc.

These variants of MSNHideOptions spread via email or MSN Messenger. To do this, they send a message to the contacts on the infected computer asking them to access a link, which supposedly contains photos of a person.

Don't miss