[Malware Review] Trojan.Spy.Banker.ABGS

Written in Delphi and packed with Aspack and Themida, Trojan.Spy.Banker.ABGS comes hidden under an Internet Explorer icon.

1^st Step – Scouting

The sly spy-banker is subtle and it really knows how to watch its back. Once it gets executed by the unwary user, its first “thought” is to check if SoftICE is running on the computer. And, if SoftICE’s installed, the computer will not be infected. Designed to run underneath Windows, SoftICE is a debugging application that is capable of suspending all operations in Windows (malware included) when so instructed. The banker is cautious.

2^nd Step – Installation

Should SoftICE not be running on the system, then the infection is initiated: The malicious software creates a file called megatron.ini and placed inside the system folderwhich stores the banker’s settings. Afterwards, the banker creates a copy of itself in %SYSTEM%imglog.exe, which means that the system is officially infected.

The banker adds %SYSTEM%imglog.exe at startup by creating a new entry under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun. The infected executable (C:WINDOWSsystem32imglog.exe) will have the name SymantecFilterCheck. Furthermore, another registry key is created: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsUser AgentPost Platform.

3^rd Step – Establishing contact with the creator

Trojan.Spy.Banker.ABGS sends an e-mail to its herder using smtp.tutopia.com.br as the mail gateway. This message announces, in fact, that the respective computer is infected and that it is now part of the malicious defrauding system.

4^th Step – Cleaning the computer

The banker searches for other pieces of malware that might lurk on the system in order to rename them (for example: SSH2.dll, gbieh.gmd, gbiehcef.dll.) so as to prevent them from being initialized at the next system startup.Trojan.Spy.Banker.ABGS uses a text file disguised as a DLL, which holds the filenames to be looked up and renamed.

5^th Step – Final touch

While in operation, the virus searches for the presence of a running Internet Explorer instance which uses DDE (Dynamic Data Exchange). If such instance is found, the spy-banker checks for banking URLs it has been instructed to monitor and displays a fake web browser window that looks identical to the bank’s login system. Of course, if the user logs in, his/her credentials will actually land in the attacker’s inbox.

It is no secret that banker-Trojans spring mostly from Brazil and Trojan.Spy.Banker.ABGS is no exception to the rule.

The technical information in this article is available courtesy of BitDefender virus researcher Robert Szasz.