Panda Security’s weekly report on viruses and intruders
June 2008 by Panda Security
PandaLabs’ report this week focuses on the Banbra.FUD and Dadobra.APK Trojans, and the MalwareProtector 2008 adware.
The Banbra.FUD Trojan uses the Microsoft Internet Explorer icon. When run, the file with the malicious code establishes an FTP connection with a specific IP address, loading the file with the name of the affected computer followed by the word Aviso (Warning).
Banbra.FUD creates several files on the infected system and keys in the Windows registry. When users connect to specific online Brazilian banks, an error message is displayed and a window with a spoof bank url is opened where users are asked to enter their login details. .
On reentering their credentials, the Trojan intercepts them and adds them to the text file, which is later sent via FTP to the IP address mentioned earlier.
Additionally, this Trojan deletes security application files and other banker malware files.
The Dadobra.APK Trojan is designed to download other files infected by banker malware, generically detected as Banbra.FTX by Panda Security solutions.
When users run a file infected by Dadobra.APK, a video in which a football field is shown is played, to fool users while the Trojans continue carrying out malicious actions. .
Finally, MalwareProtector 2008 is an adware (program designed to show unwanted advertising) which simulates system scans and encourages users to buy software to delete the malware which has supposedly been found.
When run, it modifies the desktop wallpaper, displaying a message informing users the computer is infected by spyware. Then, a window is displayed recommending users to download anti-spyware software. If the download is rejected, a screensaver with cockroaches eating the desktop wallpaper is displayed.
If users download the application, it simulates a computer scan and displays a list of the malware supposedly installed on the system. If users choose to delete the malicious code, a message is returned claiming the software is not registered and users must pay to use it.