Modified by: Erika Bianca Mendoza
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This Trojan opens an instance of the browser to access a certain website.

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats.

  TECHNICAL DETAILS

Tamaño del archivo 69,632 bytes
Tipo de archivo BAT
Residente en memoria No
Fecha de recepción de las muestras iniciales 10 Oct 2011

Arrival Details

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

Download Routine

This Trojan connects to the following malicious URLs:

  • http://www.{BLOCKED}ebattante.org/media/com_fabrik/images/ total_visitas.php

HOSTS File Modification

This Trojan adds the following strings to the Windows HOSTS file:

  • 209.59.212.251 www4.itau.com.br
  • 209.59.212.251 itau.com.br
  • 209.59.212.251 www.itau.com.br
  • 209.59.212.251 www.bancoitau.com.br
  • 209.59.212.251 bancoitau.com.br
  • 209.59.212.251 www.itaupersonnalite.com.br
  • 209.59.212.251 itaupersonnalite.com.br
  • 127.0.0.1 localhost
  • 209.59.212.251 bradesco.com.br
  • 209.59.212.251 www.bradesco.com.br
  • 209.59.212.251 www4.bradesco.com.br
  • 209.59.212.251 www.prime.com.br
  • 209.59.212.251 prime.com.br
  • 209.59.212.251 www.bradescoprime.com.br
  • 209.59.212.251 bradescoprime.com.br
  • 127.0.0.1 localhost
  • 209.59.212.251 bb.com.br
  • 209.59.212.251 www.bb.com.br
  • 209.59.212.251 www.bancodobrasil.com.br
  • 209.59.212.251 bancodobrasil.com.br
  • 127.0.0.1 localhost
  • 127.0.0.1 localhost
  • 209.59.212.251 www.tam.com.br
  • 127.0.0.1 localhost
  • 209.59.212.251 www.multiplusfidelidade.com.br
  • 127.0.0.1 localhost
  • 209.59.212.251 www.sicredi.com.br
  • 127.0.0.1 localhost
  • 209.59.212.251 sicredi.com.br
  • 209.59.212.251 www.serasa.com.br
  • 209.59.212.251 serasa.com.br
  • 127.0.0.1 localhost
  • 127.0.0.1 localhost
  • 209.59.212.251 www.santander.com.br
  • 209.59.212.251 www4.santander.com.br
  • 209.59.212.251 santander.com.br
  • 209.59.212.251 www.santandernet.com.br
  • 209.59.212.251 santandernet.com.br
  • 209.59.212.251 www.banespa.com.br
  • 127.0.0.1 localhost
  • 127.0.0.1 localhost
  • 209.59.212.251 www.santanderempresarial.com.br
  • 209.59.212.251 santanderempresarial.com.br
  • 127.0.0.1 localhost
  • $ $ $$$$$ $$$$$ $$ $$ $ $
  • $ $ $ $ $ $$ $$ $ $
  • $$$$$ $$$$$ $$$$$ $$$ $$$$$
  • $ $ $ $ $ $$ $$ $ $
  • $ $ $ $ $$$$$ $$ $$ $ $

NOTES:

It opens an instance of the browser to access the following website:

  • www.youtube.com