Fresh Notorious Banker Trojan Causes Turmoil Inside ‘Windows’
One fresh and extremely malicious banker Trojan has been found causing turmoil on Windows PCs as it nullifies integral security software, while allowing cyber-criminals to quietly capture the banking credentials of target users, published Securitynewsdaily.com dated December 7, 2011.
According to Fabio Assolini, researcher at Kaspersky Lab, the Trojan makes its impact on the bootloader "ntldr," provided via default. Securitynewsdaily.com reported this.. The Trojan, which has been detected as Trojan-Downloader.Win32.VB.aoff, emanated from Brazil, while it proliferates via e-mail web-links.
Indeed when an end-user follows the malevolent web-link, he could contract infection from the Trojan as the malware through the Web Services cloud of Amazon pulls down 2 malevolent files namely "xp-msclean" and "xp-msantivirus" that creep inside the computer's malicious bootloader, it being run even before the operating system is booted. Thereon, the files trigger one clandestine and calamitous scam.
In the meantime, as evident from the filenames viz. 'msclean' and 'msantivirus,' the files clearly evoke their ill-intentions since they're crafted for appearing similar as authentic Microsoft PC cleanup or AV (anti-virus) products, however, they actually function in the opposite way.
According to Assolini, the xp-msclean and xp-msantivirus represent *nix boot pictographs, which cyber-criminals particularly prepare for eliminating certain security software at the time of startup. Unsurprisingly, these chiefly aim attack on files representing one well-known security plug-in the GBPlugin, which Brazilian banks utilize, as also it's deployed on 23m computers. Further, the vicious bootloader too targets for eliminating files stored within Microsoft's Windows Defender, Security Essentials as also others, the researcher writes. Securelist.com published this dated December 6, 2011.
Additionally, upon the Trojan's contamination, the malware perforce causes system startup when the alterations happen like fake messages get generated from the bootloader asserting it's the MMSRT (Microsoft Malicious Software Removal Tool). This startup is overtly lengthy, when a pop-up message states the reason as infection on the machine, which's however, getting cleansed.
Eventually, on the completion of startup, the malevolent, destructive bootloader gets automatically removed allowing the working of an infection-free 'ntldr.' Thus the objective is met while one banker Trojan recognized to be Trojan-Downloader.Win32.Banload.bqmv keeps on trying for capturing online banking credentials.
Related article: Fark.com Files Suit against Suspected Hacker from Fox13
» SPAMfighter News - 16-12-2011