Weekly Report on Viruses and Intruders – Goldun.LC, Banbra.DCY Trojans and LootSeek.JJ worm
This week’s report from Panda Software looks at the Goldun.LC is a password-stealer Trojan that steals login details for e-gold accounts from infected users. It does this by installing itself as an Internet Explorer BHO (Browser Helper Object).
Then, every time the browser is opened, it is activated and records user keystrokes, thereby obtaining the login details for the e-gold account (if users have one). It then sends the stolen data to another computer through a TCP port.
As with most Trojans, it cannot spread by itself, although according to data from PandaLabs, it normally reaches users as an attachment to an email with a .bmp file icon.
Lootseek.JJ is a worm that connects to an IRC server to receive orders from a remote hacker. The worm’s payload incluyes downloading and running the Rizalof Trojan, designed to use computers as platforms for sending spam.
Lootseek.JJ can spread across computer networks, making copies of itself in the shared network drives it manages to access.
Finally, Banbra.DCY has established a new way of stealing confidencial data from users: video captures. Banbra.DCY is specifically designed to launch attacks against users of certain Brazilian banks that use ‘virtual keyboards’ (where users enter their passwords through Mouse clicks on the on-screen image of a keyboard) to allow users to log in.
When users connect to certain online banking websites, the Trojan captures the area of the screen around the mouse cursor and saves it in .avi format video files. The files are then sent secretly to malicious users who can use the data for all types of online fraud.