September 5th, 2002, 06:45 PM
Brazilian virus modifies software of InterNet Banking Friday, 30 of August of 2002 - 16h30 IDG Now! Identified a new virus of Brazilian origin that modifies the software of InterNet Banking. The Backdoor-AJX, according to company of McAfee security, is a Trojan that opens a door in the machine of the victim and creates an archive of log contends information of the system and data that are typed by the proper user. The Backdoor-AJX consists of component multiples, with archives SFX, DLL related to the keyboard and archives BAT. The plague arrives through an executable archive (self-extract) contends the size of 444.416 bytes. To the executed being, the C:\BancoBrasil directory is created and a series of archives "is poured" in this place. An archive BAT, launched for the Trojan, then is executed and modifies the following archives: 1, C:\BancoBrasil\BB InterNet Banking.htm (2,784 bytes) 2, C:\BancoBrasil\bb.bat (98 bytes) 3, C:\BancoBrasil\Setup.pif (967 bytes) 4, C:\BancoBrasil\Images \ (GIFs varied, global.js) 5, %WinDir%\System\Setup.exe (413,696 byte SFX) 6, %WinDir%\System\DosPrmt.exe (728,064 bytes) 7, %WinDir%\System\Control.ini (78 bytes) 8, %WinDir%\System\ttwain.dll (44,544 bytes) 9, %WinDir%\System\lista.log (the to keylogger output file) 10. %WinDir%\Desktop\BB Intnet Banking.lnk (shortcut you the 1.) The archives, in turn, open the machine of the victim, emitting a request (HTTP) to a Brazilian site. After that, a list of archives is created in the C:\Windows\Favoritos directory, and added a register key so that the Trojan is loaded in the inicialização of the system. The register key is the following one: · HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion "DOSPRMT.EXE" = C:\WINDOWS\SYSTEM\DOSPRMT.EXE The alert McAfee, however, that, in case that does not exist the C:\Windows\Favoritos directory in the machine of the victim, the register key will above not be created.