You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard

Banbra.GMH

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Banbra.GMH carries out the following actions:

  • When it is run, the following error message is displayed:

  • It is registered as a BHO (Browser Helper Object), in order to monitor the Internet traffic and check which websites are accessed by the user.
  • When the user accesses the website of certain Brazilian banking entities, it logs the keystrokes typed in this website. This way, it steals the banking data of the affected user.
  • Once the data is gathered, it is stored in some files created by the Trojan, and then, it is sent to its creator.

Infection strategy 

Banbra.GMH creates the following files:

  • MSTECS.EXE and FLASHCPX.DLL, in the Windows system directory. The first one is a copy of the Trojan and the second one is a DLL (Dynamic Link Library) which is registered as a BHO (Browser Helper Object) in order to monitor the websites accessed by the user.
  • MSTECF.DAT and TRENZI.LOG, in the Windows directory. The data gathered by the Trojan is stored in these files.

 

Banbra.GMH creates the following entry in the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Machine Works, Inc. = %sysdir%\MsTecs.exe
    where %sysdir% is the Windows system directory.
    By creating this entry, Banbra.GMH ensures that it is run whenever Windows is started.

 

Additionally, Banbra.GMH creates the following entries in the Windows Registry in order to register the DLL FLASHCPX.DLL as a BHO (Browser Helper Object):

  • HKEY_CLASSES_ROOT\CLSID\{EA3AF112-1E9A-4B79-8A2D-F6670A6BCA35}
    (Default) = flashcpx.MyCN
  • HKEY_CLASSES_ROOT\CLSID\{EA3AF112-1E9A-4B79-8A2D-F6670A6BCA35}\InprocServer32
    (Default) = %sysdir%\flashcpx.dll
  • HKEY_CLASSES_ROOT\CLSID\{EA3AF112-1E9A-4B79-8A2D-F6670A6BCA35}\InprocServer32
    ThreadingModel = Apartment
  • HKEY_CLASSES_ROOT\CLSID\{EA3AF112-1E9A-4B79-8A2D-F6670A6BCA35}\ProgID
    (Default) = flashcpx.MyCN
  • HKEY_CLASSES_ROOT\CLSID\{EA3AF112-1E9A-4B79-8A2D-F6670A6BCA35}\TypeLib
    (Default) = {DD1F03A0-0864-4948-B951-9321A44B87D8}
  • HKEY_CLASSES_ROOT\CLSID\{EA3AF112-1E9A-4B79-8A2D-F6670A6BCA35}\VERSION
    (Default) = 1.0
  • HKEY_CLASSES_ROOT\flashcpx.MyCN
    (Default) = flashcpx.MyCN
  • HKEY_CLASSES_ROOT\flashcpx.MyCN\Clsid
    (Default) = {EA3AF112-1E9A-4B79-8A2D-F6670A6BCA35}
  • HKEY_CLASSES_ROOT\Interface\{31C5319E-23B5-4467-9644-59A2BD10DF7F}
    (Default) = MyCN
  • HKEY_CLASSES_ROOT\Interface\{31C5319E-23B5-4467-9644-59A2BD10DF7F}\ProxyStubClsid
    (Default) = {00020424-0000-0000-C000-000000000046}
  • HKEY_CLASSES_ROOT\Interface\{31C5319E-23B5-4467-9644-59A2BD10DF7F}\ProxyStubClsid32
    (Default) = {00020424-0000-0000-C000-000000000046}
  • HKEY_CLASSES_ROOT\Interface\{31C5319E-23B5-4467-9644-59A2BD10DF7F}\TypeLib
    (Default) = {DD1F03A0-0864-4948-B951-9321A44B87D8}
  • HKEY_CLASSES_ROOT\Interface\{31C5319E-23B5-4467-9644-59A2BD10DF7F}\TypeLib
    Version = 1.0
  • HKEY_CLASSES_ROOT\TypeLib\{DD1F03A0-0864-4948-B951-9321A44B87D8}\1.0
    (Default) = flashcpx
  • HKEY_CLASSES_ROOT\TypeLib\{DD1F03A0-0864-4948-B951-9321A44B87D8}\1.0\0\win32
    (Default) = %sysdir%\flashcpx.dll
  • HKEY_CLASSES_ROOT\TypeLib\{DD1F03A0-0864-4948-B951-9321A44B87D8}\1.0\FLAGS
    (Default) = 0
  • HKEY_CLASSES_ROOT\TypeLib\{DD1F03A0-0864-4948-B951-9321A44B87D8}\1.0\HELPDIR
    (Default) = %sysdir%
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EA3AF112-1E9A-4B79-8A2D-F6670A6BCA35}8A2D-F6670A6BCA35}
    (Default)

Means of transmission 

Banbra.GMH reaches the computer in an email message in Portuguese which contains some pictures of a party inviting users to download them.

The message has the following characteristics:

  • Subject: it can be one of the following, among others:
    ESSA FESTA FOI O MÁXIMO...
    OIII...!! TUDO BEM?
  • Message: it can be one of the following:
    Message 1
    Oi...!! tudo bem?
    Olha só as fotos que me mandaram.
    Lembra dessa festa?

    Tchauuu!!

    Message 2
    Oiiii...!! tudo bem?
    Pois é eu sumi... mas eu não esqueci
    daquela nossa foto
    Pois aqui está a foto qye você tanto queria...
    Tchauuu!!!
  • Attachment: one or several files with a JPG extension, with the following names:
    IMAGEM1.JPG
    IMAGEM2.JPG
    and a preview of the pictures is displayed with a link to view them.

If the user downloads the attached files or clicks on the links, a compressed file is downloaded. If it is decompressed and the executable file is run, the computer will be infected.

The malicious file is CONVITE.EXE, and has the following appearance:

 

The following images belong to examples of messages used to distribute this Trojan:

          

Further Details  

Banbra.GMH is written in the programming language Visual Basic v5. This Trojan is 115,712 bytes in size and it is compressed with UPX.

>