Virus Database

TrojanSpy.Win32.Small.q

Description TrojanSpy.Win32.Small.q

This Trojan spy program steals user details for electronic payment systems. It is a Windows PE EXE file of 5184 bytes, packed using FSG.
When installing, the program copies itself to the Windows directory, and registers the copied file to the system registry autorun key:
[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
"OLE"=Name of copied file
The Trojan then extracts a .dll file of 6144 bytes, called HookerDll.Dll to the Windows directory. This file intercepts data entered via the keyboard.
The program then creates a file named krk.txt in the Windows directory and copies all data entered via the keyboard to this file. This interception function will only be activated if a browser window header contains a line of text from the following list:
e-gold Account Access
HSBC Internet banking
Welcome to National Internet Banking
St.George Internet Banking Logon Page
Business Banking Online Login Page
MasterCard Connections Online - Welcome
St George Treasury: Client Logon
ANZ Internet Banking
SAAM Login
ANZ E*TRADE
FX Online Sphinx Login Page
https://www.tradeportal.proponix.com
BankSA Internet Banking Logon Page
Westpac Internet - Sign In
Westpac Internet Banking
NetBank - Logon
Commonwealth Securities Limited
Managed Funds and Superannuation Online - Login
Citibank Australia
Banesnet Particulares
Acceso a Banca por Internet
Wachovia Online Business Banking
Online Services - Account Login
Ventura County Business Bank Online Banking
PNC Bank - Account Link for Business
Fleet HomeLink Online Banking and Investing
e-Bullion: Account Login
:: WMcards.com :: Customer Support
moneybookers.com - and money moves
SunTrust Online Banking
Washington Mutual - Log On
Discover Card: Account Center Log In
OrbitPay.net - The Payment Processor Of Choice!
Banco Popular - Internet Banking
Nationwide Building Society - On-line banking
E*TRADE Log On
Accueil Bred.fr > Espace Bred.fr
Credit Lyonnais interactif
CyberMUT
Banque en ligne
Tous les produits et services
Banque Populaire
Home Page Banca Intesa
Collegamento a Scrigno
Barclaycard Merchant Services
American Express UK - Personal Finance
Merchant Administration
Wells Fargo - Small Business Home Page
Commercial Electronic Office Sign On
VeriSign Personal Trust Service
VeriSign Partner Manager
SUNCORP METWAY
iKobo Money Transfer
Welcome to Citi
By doing this, the Trojan steals access codes to electronic payment systems, and then sends the data to the author of the program by email.

Check other viruses! Be aware! Use Antiviral Software

Macro.Excel.Emperor.a

Description Macro.Excel.Emperor.a

This virus infects Excel sheets. It contains one macro (module) with the name "Emperor[number]" that contains five functions:
Auto_Open, keyplus, check_file, write_virus, run_virus
Upon opening (closing), the infected Excel file executes the Auto_Open (Auto_Close) virus function. This function summons the check_file (CheckFile) function that sets a four-digit password to the virus sheet. The virus then makes visible all hidden windows, looks for the "Emperor" module in all Workbooks and infects uninfected ones. While infecting, the virus copies its macro with the name "Emperor[number of infection]". The virus then closes all windows that were opened during infection.
The virus deletes the menus: Worksheet View - Toolbars, Format - Sheets, Tools - Scenario; Module - Edit/Delete, Tools/Menu Editor, Tools/Protection.
On the 1st and 15th of any month, depending on the random system counter, the virus displays the MessageBox:
The First Emperor Ver 1.00 [02/29/1997]
[the rest of the text is in unknown coding]

Macro.Excel.Emperor.b

Description Macro.Excel.Emperor.b

This virus infects Excel sheets. It contains one macro (module) with the name "Emperor[number]" that contains five functions:
Auto_Close, CheckFile, WriteVirus, ScreenTool, MenuDelete.
Upon opening (closing), the infected Excel file executes the Auto_Open (Auto_Close) virus function. This function summons the check_file (CheckFile) function that sets a four-digit password to the virus sheet. The virus then makes visible all hidden windows, looks for the "Emperor" module in all Workbooks and infects uninfected ones. While infecting, the virus copies its macro with the name "Emperor[number of infection]". The virus then closes all windows that were opened during infection.
The virus deletes the menus: Worksheet View - Toolbars, Format - Sheets, Tools - Scenario; Module - Edit/Delete, Tools/Menu Editor, Tools/Protection.
On Mondays and Saturdays, it displays the MessageBox:
The First Emperor Ver 1.10
[the rest of text is in unknown coding]

Home