Description:
To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.
Malware Overview
This memory-resident Trojan arrives on a system as a file downloaded from a possibly compromised site contained in email messages spammed in the wild. It may also arrive as a file dropped by other malware.
The said email message bears news of the latest airplane crash that happened in Brazil. Once users click on the link in the message body, users are directed to the site http://{BLOCKED}tv.com/naboard/.../ where this Trojan can be downloaded.
When executed, it downloads a file from another Web site and saves the file as WINSW.EXE on the affected system's root folder, which is usually C:\. Trend Micro detects the said file as TSPY_BANKER.JHR. As a result, routines of the said spyware are also exhibited on the affected system.
It hides its own window and process so that it remains invisible in the taskbar when running.
It searches for the file WINMPX.LOG in the system root of the affected system. If the said file is not found, it continues with its other routines.
It disables Internet Connection Sharing and Windows Firewall by executing the command net stop SharedAccess.
For additional information about this threat, see:
Solution
Technical Details
Description created: Jul. 18, 2007 12:00:00 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
