You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard

Banbra.GLE

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Banbra.GLE carries out the following actions:

  • It steals all kind of passwords. In order to do so, it uses a program to recover passwords which allows it to obtain the following passwords:
    - passwords to connect to a remote desktop.
    - passwords stored in the Internet Explorer and Firefox browsers.
    - passwords belonging to several mail services like Outlook and Hotmail.
    - passwords of the instant mesaaging program MSN Messenger.
    - passwords of the network.
  • It creates several reports that contain the stolen information, which are then sent to its creator via email.
  • The reports containing the passwords are attached to the email message and the message contains some data, like the computer name:

  • Additionally, it is programmed to steal the passwords used by users to access several Brazilian banking entities.

Infection strategy 

Banbra.GLE creates the following files in the Windows directory:

  • CTFMON.EXE, which is a copy of itself.
  • BOTT.TXT. This file contains the content of the message that is sent with the information it obtains.
  • USBB.TXT
  • SENDERDYN.JAR

 

Additionally, it creates a folder called res in the Windows directory with the following files:

  • DESKTOP.EXE
  • FOX.EXE
  • IE.EXE
  • MAIL.EXE
  • MSN.EXE
  • OUTLOOK.EXE
  • NET.EXE

This files obtains different types of passwords. Each one creates an HTML report that will be sent via email to its creator.

 

Banbra.GLE creates the following entry in the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    %windir%\csrcs.exe
    where %windir% is the Windows directory.
    By creating this entry, Banbra.GLE ensures that it is run whenever Windows is started.

Means of transmission 

Banbra.GLE spreads through removable drives. In order to do so, 45 seconds after its execution, it makes copies of itself in the root directory of the removable drives. Additionally, it creates an AUTORUN.INF file in these drives, so that the worm is run whenever any of them is accessed.

Banbra.GLE passes itself off as an unoffensive document, as it reaches the computer in a file with the icon of a Word document:

Further Details  

Banbra.GLE is 5,224,960 bytes in size and is compressed with UPX.