XLab.Charrua.Banker.a

Banker.a

Descoberto por SentiniX, contato sentinix_root@hotmail.com
para o projeto CharruaSecurity

######################################################################

Disseminação por email, partindo do remetente: recadastro.tse@receita.fazenda.gov.br

com o assunto de Suspensao provisoria, recebido Quarta-feira dia 29 de setembro de 2010
eleições no brasil para aconteçer em 3 de outubro de 2010, tentativa de phishing.

######################################################################

conteudo do email:

Brasília, 28 de setembro de 2010

Informamos que seu titulo eleitoral teve uma  Suspensão Provisória.

O TSE junto com a RECEITA FEDERAL está fazendo o recadastro do titulo eleitoral de pessoas físicas que deixaram de efetuar o recadastramento anual de Pessoa Física (CPF).

Para fazer o recadastramento de seus Dados Pessoais, baixe o formulário abaixo.

Este e-mail foi cadastrado junto ao TSE. Apenas continue seu cadastro se no formulário seu NOME e CPF estiverem corretos.

CLIQUE AQUI PARA ABRIR FORMULÁRIO DE RECADASTRAMENTO

Caso haja algum erro CLIQUE AQUI

Todos os direitos reservados ao Tribunal Superior Eleitoral

######################################################################

Informações do site VirusTotal:

Antivirus Version Last Update Result AhnLab-V3 2010.10.03.01 2010.10.03 – AntiVir 7.10.12.112 2010.10.03 TR/Dropper.Gen Antiy-AVL 2.0.3.7 2010.10.03 – Authentium 5.2.0.5 2010.10.03 W32/Trojan-juke-based!Maximus Avast 4.8.1351.0 2010.10.03 – Avast5 5.0.594.0 2010.10.03 – AVG 9.0.0.851 2010.10.03 Dropper.Generic2.BDXR BitDefender 7.2 2010.10.03 Gen:Trojan.Heur.reZ@rTY7BNpad CAT-QuickHeal 11.00 2010.10.01 (Suspicious) – DNAScan ClamAV 0.96.2.0-git 2010.10.03 PUA.Packed.Thinstall2425 Comodo 6276 2010.10.03 – DrWeb 5.0.2.03300 2010.10.03 – Emsisoft 5.0.0.50 2010.10.03 Trojan-Banker.Win32.Banker!IK eSafe 7.0.17.0 2010.10.03 – eTrust-Vet 36.1.7889 2010.10.02 – F-Prot 4.6.2.117 2010.10.03 W32/Trojan-juke-based!Maximus F-Secure 9.0.15370.0 2010.10.03 Gen:Trojan.Heur.reZ@rTY7BNpad Fortinet 4.1.143.0 2010.10.03 – GData 21 2010.10.03 Gen:Trojan.Heur.reZ@rTY7BNpad Ikarus T3.1.1.90.0 2010.10.03 Trojan-Banker.Win32.Banker Jiangmin 13.0.900 2010.10.03 – K7AntiVirus 9.63.2662 2010.10.02 Trojan Kaspersky 7.0.0.125 2010.10.03 Trojan-Banker.Win32.Qhost.pz McAfee 5.400.0.1158 2010.10.03 Generic.dx!ucu McAfee-GW-Edition 2010.1C 2010.10.03 – Microsoft 1.6201 2010.10.03 – NOD32 5500 2010.10.03 – Norman 6.06.07 2010.10.03 W32/Obfuscated.F!genr nProtect 2010-10-03.01 2010.10.03 – PCTools 7.0.3.5 2010.10.02 – Prevx 3.0 2010.10.03 – Rising 22.67.02.07 2010.09.30 Packer.Win32.Agent.r Sophos 4.58.0 2010.10.03 – Sunbelt 6973 2010.10.03 Trojan.Win32.Generic.pak!cobra SUPERAntiSpyware 4.40.0.1006 2010.10.03 – Symantec 20101.2.0.161 2010.10.03 Suspicious.MH690.A TheHacker 6.7.0.1.047 2010.10.03 – TrendMicro 9.120.0.1004 2010.10.03 Mal_Banker TrendMicro-HouseCall 9.120.0.1004 2010.10.03 Mal_Banker VBA32 3.12.14.1 2010.10.01 – ViRobot 2010.8.31.4017 2010.10.03 – VirusBuster 12.66.12.0 2010.10.03 Trojan.Crypt.Gen MD5   : 8a133595dde30c0e2bb5b4a09b12453e

SHA1  : 81fa7c4e61592e73fd905eb954d31da47320184c

SHA256: f0f0df445390b9cd00261572ea4156e7c0c2cdaa3f7b934a6b8b98f397cc98e8

ssdeep: 6144:sNVj1SWS4zASxsjQhGH1d4rUB60iCCIOzMPXwuc6kPq7:oBKE/s02IrUA0DY6w4kPq7

File size : 294469 bytes

First seen: 2010-10-02 20:20:17

Last seen : 2010-10-03 19:30:41

TrID: Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

sigcheck: publisher….: n/a copyright….: n/a product……: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments…..: n/a signers……: – signing date.: – verified…..: Unsigned

PEiD: Thinstall 2.4x – 2.5x -> Jitit Software

packers (Authentium): Thinstal

packers (F-Prot): Thinstal

PEInfo: PE structure information  [[ basic data ]] entrypointaddress: 0x1A95 timedatestamp….: 0x4112AB5C (Thu Aug 05 21:49:16 2004) machinetype……: 0x14c (I386) [[ 1 section(s) ]] name, viradd, virsiz, rawdsiz, ntropy, md5 .text , 0x1000, 0x38000, 0xB564, 6.86, 81da1d779db4f0ee040bbf12274ff32e [[ 9 import(s) ]] USER32.dll: MessageBoxA KERNEL32.dll: GetModuleFileNameA, GetEnvironmentVariableA, ExitProcess, FormatMessageA, GetLastError, SetLastError, GetProcAddress, VirtualProtect, LoadLibraryA, GetModuleHandleA, MultiByteToWideChar, GetModuleFileNameW, GetVersionExA, VirtualFree, VirtualAlloc, GlobalAlloc, SetFilePointer, ReadFile, CreateFileA ADVAPI32.DLL: AdjustTokenPrivileges COMCTL32.DLL: InitCommonControls KERNEL32.dll: AllocConsole msvcrt.dll: _close msvcrt.dll: _HUGE SHELL32.DLL: SHGetDesktopFolder USER32.dll: DispatchMessageA

ExifTool: file metadata CodeSize: 128000 EntryPoint: 0x1a95 FileSize: 288 kB FileType: Win32 EXE ImageVersion: 0.0 InitializedDataSize: 0 LinkerVersion: 6.0 MIMEType: application/octet-stream MachineType: Intel 386 or later, and compatibles OSVersion: 4.0 PEType: PE32 Subsystem: Windows GUI SubsystemVersion: 4.0 TimeStamp: 2004:08:05 23:49:16+02:00 UninitializedDataSize: 0

######################################################################

Mais informações no arquivo para estudo:

Cuidado Link com Vírus para Estudo!