Deliver Your News to the World

ORANGE ALERT: Panda Software reports new Trojan that could steal online banking passwords of thousands of Spanish-speaking users


WEBWIRE

- This new Trojan combines social engineering distribution through Messenger, and uses the techniques ofspywareand phishing
- Its target is online bank users in Spanish-speaking countries

- Once it acquires the password, the Trojan attempts to send the email to its author

- TruPrevent Technologies are able to detect and block Banker.bsx

Glendale, CA. December 26.- A new Trojan, Nabload.U, which is distributing itself through Messenger, has appeared a few hours ago. This Trojan downloads another Trojan, called Banker.bsx, which is currently the number one detected piece of malware from Panda’s ActiveScan. Its objective is to obtain the passwords of certain banks that it has stored in its code primarily from Spanish-speaking users.

The most unusual aspect of this Trojan is its ability to capture the information without the use of a traditional key logger. The user will be unaware that this is occurring. Banks that use virtual keyboards to avoid keyloggers won’t be protected from this Trojan.

Once the author has the keys, he can commit banking fraud with the accounts.

According to Luis Corrons, PandaLabs director: “This Trojan is an example of a hybrid virus that mixes different techniques. Once the user clicks on the URL, it is able to download a Trojan and use techniques similar to some spyware and phishing attacks. It is, without a doubt, a Trojan designed to steal data quickly, and without leaving any tracks.”

Nabload.U uses social engineering techniques to get the user to click on the URL provided. The sentence is in Spanish: “ve esa vaina http://hometown.%eliminado%.au/miralafoto/foto.exe.” It is disguised as a personal contact. When the user clicks on this URL, another Trojan, Banker.BSX, is downloaded. It also offers two others URLs_ http://hometown.%eliminado%.au/arqarq/coco2006.jpg and http://hometown.%eliminado%.au/modnatal/coco2006.jpg that downloads a configuration file. In this file, you can find – as well as other information- the e-mail address where the stolen data will be sent.

This Trojan opens up port 1106 on the computer and stays active. So, when the user tries to access one of the online bank addresses shown bellow, the Trojan will be able to capture what the user is doing on the screen, including the login and password typed by virtual keyboards to access the bank account. This Trojan only captures the information from the addresses below:

https://secure2.venezolano.com/
https://e-bdvcp.banvenez.com
https://www.ibprovivienda.com.ve/personas/
https://banco.micasaeap.com/individualmc/
https://olb.todo1.com/servlet/msfv/
https://www.banesco.com/servicios_electronicos_pag.htm
https://www.banesconline.com
https://www.provinet.net/shtml/
https://bod.bodmillenium.com
https://www.corp-line.com.ve/personas/
Once the Trojan has captured the information, it sends this data to an e-mail address. The author can change this e-mail address as desired.

To help as many users as possible scan and disinfect their systems, Panda Software offers its free, online anti-malware solution, Panda ActiveScan, which now also detects spyware, at http://www.activescan.com. Webmasters who would like to include ActiveScan on their websites can get the HTML code, free from http://www.pandasoftware.com/partners/webmasters.

TruPreventTM detection technologies detect and eliminate Banker.BSX with no need for previous updates, so computers with these technologies have been protected from the moment the Trojan Horse appeared.

For further information about Nabload.U and Banker.BSX, visit Panda Software’s Encyclopedia.

About PandaLabs

On receiving a possibly infected file, Panda Software’s technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.



WebWireID7308





This news content was configured by WebWire editorial staff. Linking is permitted.

News Release Distribution and Press Release Distribution Services Provided by WebWire.