Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Burglar.A

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

Burglar.A carries out the following actions:

  • It obtains the following information about the computer:
    - IP address.
    - the name of the system.
    - geographic area: region, country or state; city; approximate latitude and longitude. In order to obtain these data, Burglar.A uses Google Maps.
    The following image is an example of the information it obtains through Google Maps:

  • It downloads the following malware to the affected computer:
    -Trj/Sters.P, which prevents users and installed programs from accessing the following websites, which belong to several antivirus companies:
    82.165.237.14
    82.165.250.33
    avp.com
    ca.com
    casablanca.cz
    customer.symantec.com
    d66.myleftnut.info
    d-eu-1f.kaspersky-labs.com
    d-eu-1h.kaspersky-labs.com
    d-eu-2f.kaspersky-labs.com
    d-eu-2h.kaspersky-labs.com
    dispatch.mcafee.com
    download.mcafee.com
    downloads1.kaspersky.com
    downloads1.kaspersky.ru
    downloads2.kaspersky.ru
    downloads3.kaspersky.ru
    downloads4.kaspersky.ru
    downloads5.kaspersky.ru
    downloads-us1.kaspersky.com
    d-ru-1f.kaspersky-labs.com
    d-ru-1h.kaspersky-labs.com
    d-ru-2f.kaspersky-labs.com
    d-ru-2h.kaspersky-labs.com
    d-us-1f.kaspersky-labs.com
    d-us-1h.kaspersky-labs.com
    eset.casablanca.cz
    eset.com
    f-secure.com
    kaspersky.com
    kaspersky-labs.com
    liveupdate.symantec.com
    liveupdate.symantecliveupdate.com
    mast.mcafee.com
    mcafee.com
    mcafee.com
    metalhead2005.info
    my-etrust.com
    nai.com
    networkassociates.com
    nod32.com
    norton.com
    rads.mcafee.com
    secure.nai.com
    securityresponse.symantec.com
    sophos.com
    symantec.com
    trendmicro.com
    u2.eset.com
    u3.eset.com
    u4.eset.com
    u7.eset.com
    update.symantec.com
    updates.symantec.com
    updates1.kaspersky.com
    updates2.kaspersky.com
    updates3.kaspersky.com
    updates-us1.kaspersky.com
    us.mcafee.com
    viruslist.com
    viruslist.com
    www.avp.com
    www.ca.com
    www.eset.com
    www.f-secure.com
    www.kaspersky.com
    www.mcafee.com
    www.microsoft.com
    www.my-etrust.com
    www.nai.com
    www.networkassociates.com
    www.nod32.com
    www.norton.com
    www.sophos.com
    www.symantec.com
    www.trendmicro.com
    www.viruslist.com

    -Trj/Keylog.LN, which logs the keystrokes typed by the user. This way, it can obtain confidential information, such as passwords.

    - Trj/FileStealer.A, which downloads and runs a web server in the computer. This way, it gains remote access to the affected system.

    -Trj/Banker.CLJ. This Trojan steals banking passwords. In order to do so, it monitors if the user accesses any website belonging to banking entities. If so, it sends the order Stop Navigate to the browser in order to stop the loading of the website. Then, it displays two alert messages where the user is requested confidential data, which is sent to its author.
  • It connects to the website http://extec<blocked>.com/stats, where it stores information about the countries and the IP addresses that had been infected.

Infection strategy 

Burglar.A creates the following files in the Windows directory:

  • DSRSS.EXE, which belongs to Trj/Keylog.LN.
  • IESERVER.EXE, which belongs to Trj/FileStealer.A.
  • SMSS.EXE and WINLOGON.EXE, which belong to Trj/Sters.P.
  • IEREDIR.EXE and PREREDIR.EXE, which belong to Trj/Banker.CLJ.

 

Burglar.A modifies the file HOSTS. By modifying this file, it prevents the access to certain websites, belonging to antivirus companies.

Means of transmission 

Burglar.A is usually distributed in an email message with the following characteristics:

Subject: one of the following:
Current Australia’s Prime Minister survived a hear attack
Prime Minister survived a heard attack
The life of the Prime Minister is in grave danger

Message:
SYDNEY, February 18, 2007 08:56pm (AEDT) –
The Prime Minister of Australia, John Howard have survived a heart attack. Mr Howard, 67 years old, was at Kirribilli House in Sydney, his prime residence,when he was suddenly stricken.
Mr Howard was taken to the Royal North Shore Hospital where the best surgeons of Australia are struggling for his life.
Click on the link below to get the latest information on the health
of the Prime Minister:
The Australian - keeping the nation informed
John Howard was born on the 26th of July, 1939. Howard is Australia's
second longest serving Prime Minister and leader of the Liberal Party
in Australia.

This email message can contain:

  • a link to a website, which, if clicked, it will take the user to one of the following websites:
    http://www.au<blocked>ews.com/
    http://www.theau<blocked>ews.com/
    http://www.thea<blocked>ews.org/
    these websites are redirected to another website: www.ext<blocked>b.com, which is the one that starts the infection.
  • an executable file attached. If it is run, the computer will be affected by Burglar.A.

Further Details  

Burglar.A is written in the programming languages JavaScript and Visual Basic. This Trojan is 2,011 bytes in size.