Feb 6, 2012

Trojan Proxy targets Brazilian financial websites

File source: www.danibolinhagp.com.br/video.mpeg.exe
MD5: CCC531F5DD9929ABC4BCD69BCC748424
SHA1: FE71AA78DC9288E9997482380C4F270495CA7631

This Trojan is hosted in the Domain: danibolinhagp.com.br looks like a fake porn website. Because in the website where ever you click on it will download the trojan. The reason for the extension of mpeg is since it is a fake porn video hosting site. When a user clicks inside the webpage it downloads the Trojan in the file name video.mpeg.exe


In a hurry of watching the video many people don’t notice the .exe extension.  Once executed it searches for running instance of Internet explorer and Firefox process and terminates them if found running. So, that it can set the proxy server and make the user login again.


The Host: padariarva.com seen below is nothing but a link to the proxy auto-config file pele.pac. It contains the Proxy IP address “188.138.114.62".


This url is added to the autoconfigurl registry key like seen below. So, whenever you try to access any site it will contact the proxy auto-config file first and if your search query matches the site listed in the file then the request goes to the proxy IP “188.138.114.62"and in turn it forwards the request on behalf of you to the bank site. Like Man In The Middle attack.


 The list mostly contains of Brazilian financial institutions. Check below for information,


If you’re infected with this Trojan you have high risk of compromising your bank credentials. My advice is to clear the proxy registry first by typing regedit in cmd prompt and going to the below location and delete the data part in the AutoConfigURL registry key.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ AutoConfigURL

The Trojan file will be in hidden attribute in the location where you executed.


If you’re unable to view the file  open My Computer go to
Tools->Folder Options->View-> select Show hidden files and folders. Now go to the location where you executed the file and delete it. Last but not least change your bank accounts password.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)