eScan : Secure – Scalable – Reliable : Antivirus, Content Security and Firewall Protection for Servers and Endpoints

eScan Wiki Forum

eScan Forum RSS

eScan Feeds

Home | Events | Bookmark | Recommend eScan | Technical Support

Our Vision | Management Profile | About us | Careers | News

Virus Information

Summary


Profile	Prevalence: Low

Name	Trojan.Banker.Delf.ZRD
Type	Tojan Dropper
How it spreads	Spreads via e-mail and infected documents
Affected operating systems	Windows® XP operating system, Windows Vista® operating system
Aliases
Date of surface	May 25 2010 12:00AM

Description

Symptoms

This Trojan disguises itself as a banking application for Bradesco, one of the largest private-sector banks. It has a browser-like GUI, which contains buttons and hyperlinks that are not functional.

Description

This Trojan poses as a legitimate application from Bradesco that allows users to log in to their bank accounts. When the user first tries to log in to an account via this seemingly harmless application, it displays a message informing the user that the account will expire within five days. The user is then asked reenter personal detains to renew the account. The application refuses to shut down when the user tries to close the application window without entering any information.

If the user enters the information, and completes the next three steps successfully, the application to connect to http://web67.xx.xx.xx.br by sending three packets of length 252 bytes, 2127 bytes, and 186 bytes. It uses socket-based connections on the local port number 1085 and uses proxy-forwarding with an entire branch of login ids to make it difficult to track the packets.

The information regarding the Web site is as follows:

Web site:	http://web67.xx.xx.xx.br
IP address:	xxxx.xxxx.xxxx.xxxx
domain:	xx.xx.br

In last two packets, the Trojan encodes data sets collected from the user`s computer in the Base64 format and then sends this to http://www.xx.xx/xx/index.php

Recovery

To remove the Trojan, please follow any of these methods.

Method 1
The latest antivirus update of ‘e Scan removes the Trojan from your computer. Ensure that your computer is connected to the Internet. On the taskbar, in the notification area, right-click the red ‘e Scan icon, and then click Update now. The latest updates will be downloaded on your computer. You can then scan your computer to remove the Trojan.

Method 2
Download the free MicroWorld Antivirus toolkit (MWAV toolkit), and then run it on your computer. This toolkit checks your computer, system registry, and running processes for viruses, illegal dialers, or sniffer tools and then detects them.

You can download the MWAV toolkit from the MicroWorld Web site.

Method 3
MicroWorld’s ‘e Scan Internet Security Suite (ISS) product has a real-time monitor that detects viruses in system registry and running processes.

To download and install this product, click here.

Advanced

| More