Win32/VB.OWR [Threat Name] go to Threat

Win32/VB.OWR [Threat Variant Name]

Category trojan
Size 126976 B
Aliases P2P-Worm.Win32.SpyBot.qeg (Kaspersky)
  Trojan:Win32/Sisron (Microsoft)
  Worm/Spybot.DLM (AVG)
Short description

Win32/VB.OWR is a trojan that steals passwords and other sensitive information. The trojan collects sensitive information when the user browses certain web sites. The trojan attempts to send gathered information to a remote machine.

Installation

The trojan does not create any copies of itself.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%malwarefilenamewithoutextension%" = "%malwarepath%"

The following Registry entries are created:

  • [HKEY_CURRENT_USER]
    • "http" = 2
Information stealing

The trojan collects various information when the user is accessing the following sites:

  • https://www.cetelem.com.br/wps/portal/cetelem/normal/NL/login
  • https://www.cetelem.com.br/wps/myportal/!ut/p/c1/09519519481!!/
  • https://www.cetelem.com.br/wps/portal/!ut/p/c0/04
  • http://www.cetelemcards.kit.net/portal/05_.html
  • https://www.cetelem.com.br
  • http://www.bradesco.com.br
  • http://bradesco.com.br
  • https://wwwss.bradesco.com.br/scripts/ib2k1.dll/LOGIN
  • https://wwwss.bradesco.com.br/scripts/ib2k1.dll/LOGINCHK#top
  • http://www.shopfacil.com.br/index.aspx?origem
  • https://wwwss.bradesco.com.br/scripts/ib2k1.dll/TAC/FONEFACIL?CTL=3994271
  • https://wwwss.bradesco.com.br/scripts/ib2k1.dll/TAC/ENTRADASENHA
  • https://wwwss.bradesco.com.br/scripts/ib2k1.dll/TAC/VRFSENHAATUAL
  • http://www.bradescoprime.com.br
  • http://bradescoprime.com.br
  • Encerramento.do

The trojan collects the following information:

  • login name
  • login password
  • GRID card data

The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (1) IP addresses. The TDS protocol is used.

Other information

The user may be redirected to one of the following Internet web sites:

  • http://www.instalacaocomponente.kit.net/componente2.html?CRT=9855425e4854822214211214/scripts/ib2k1.
  • http://www.instalacaocomponente.kit.net/TabelaBrada.html
  • http://www.instalacaocomponente.kit.net/componente1.html?CRT=9855425e4854822214211214/scripts/ib2k1.
  • http://www.instalacaocomponente.kit.net/TabelaPrime.html

Please enable Javascript to ensure correct displaying of this content and refresh this page.