Encyclopedia

Panda Global Protection 2011

Enjoy total security and ensure information integrity.

BUY with 20% OFF	DOWNLOAD FREE

Burglar.A
Threat LevelDamageDistribution

At a glance Tech details Solution

Effects

Burglar.A carries out the following actions:

It obtains the following information about the computer:
- IP address.
- the name of the system.
- geographic area: region, country or state; city; approximate latitude and longitude. In order to obtain these data, Burglar.A uses Google Maps.
The following image is an example of the information it obtains through Google Maps:
It downloads the following malware to the affected computer:
-Trj/Sters.P, which prevents users and installed programs from accessing the following websites, which belong to several antivirus companies:
82.165.237.14
82.165.250.33
avp.com
ca.com
casablanca.cz
customer.symantec.com
d66.myleftnut.info
d-eu-1f.kaspersky-labs.com
d-eu-1h.kaspersky-labs.com
d-eu-2f.kaspersky-labs.com
d-eu-2h.kaspersky-labs.com
dispatch.mcafee.com
download.mcafee.com
downloads1.kaspersky.com
downloads1.kaspersky.ru
downloads2.kaspersky.ru
downloads3.kaspersky.ru
downloads4.kaspersky.ru
downloads5.kaspersky.ru
downloads-us1.kaspersky.com
d-ru-1f.kaspersky-labs.com
d-ru-1h.kaspersky-labs.com
d-ru-2f.kaspersky-labs.com
d-ru-2h.kaspersky-labs.com
d-us-1f.kaspersky-labs.com
d-us-1h.kaspersky-labs.com
eset.casablanca.cz
eset.com
f-secure.com
kaspersky.com
kaspersky-labs.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
mcafee.com
metalhead2005.info
my-etrust.com
nai.com
networkassociates.com
nod32.com
norton.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
u2.eset.com
u3.eset.com
u4.eset.com
u7.eset.com
update.symantec.com
updates.symantec.com
updates1.kaspersky.com
updates2.kaspersky.com
updates3.kaspersky.com
updates-us1.kaspersky.com
us.mcafee.com
viruslist.com
viruslist.com
www.avp.com
www.ca.com
www.eset.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.microsoft.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.nod32.com
www.norton.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com

-Trj/Keylog.LN, which logs the keystrokes typed by the user. This way, it can obtain confidential information, such as passwords.

- Trj/FileStealer.A, which downloads and runs a web server in the computer. This way, it gains remote access to the affected system.

-Trj/Banker.CLJ. This Trojan steals banking passwords. In order to do so, it monitors if the user accesses any website belonging to banking entities. If so, it sends the order Stop Navigate to the browser in order to stop the loading of the website. Then, it displays two alert messages where the user is requested confidential data, which is sent to its author.
It connects to the website http://extec<blocked>.com/stats, where it stores information about the countries and the IP addresses that had been infected.

Infection strategy

Burglar.A creates the following files in the Windows directory:

DSRSS.EXE, which belongs to Trj/Keylog.LN.
IESERVER.EXE, which belongs to Trj/FileStealer.A.
SMSS.EXE and WINLOGON.EXE, which belong to Trj/Sters.P.
IEREDIR.EXE and PREREDIR.EXE, which belong to Trj/Banker.CLJ.

Burglar.A modifies the file HOSTS. By modifying this file, it prevents the access to certain websites, belonging to antivirus companies.

Means of transmission

Burglar.A is usually distributed in an email message with the following characteristics:

Subject: one of the following:
Current Australia’s Prime Minister survived a hear attack
Prime Minister survived a heard attack
The life of the Prime Minister is in grave danger

Message:
SYDNEY, February 18, 2007 08:56pm (AEDT) –
The Prime Minister of Australia, John Howard have survived a heart attack. Mr Howard, 67 years old, was at Kirribilli House in Sydney, his prime residence,when he was suddenly stricken.
Mr Howard was taken to the Royal North Shore Hospital where the best surgeons of Australia are struggling for his life.
Click on the link below to get the latest information on the health
of the Prime Minister:
The Australian - keeping the nation informed
John Howard was born on the 26th of July, 1939. Howard is Australia's
second longest serving Prime Minister and leader of the Liberal Party
in Australia.

This email message can contain:

a link to a website, which, if clicked, it will take the user to one of the following websites:
http://www.au<blocked>ews.com/
http://www.theau<blocked>ews.com/
http://www.thea<blocked>ews.org/
these websites are redirected to another website: www.ext<blocked>b.com, which is the one that starts the infection.
an executable file attached. If it is run, the computer will be affected by Burglar.A.

Further Details

Burglar.A is written in the programming languages JavaScript and Visual Basic. This Trojan is 2,011 bytes in size.

Last updated: 12/03/2007

Thanks to Collective Intelligence, Panda's exclusive cloud-computing technology, the company's 2010 solutions leverage the knowledge gathered from the community of millions of Panda users around the world. Each new file received is automatically classified within six minutes and the Collective Intelligence servers classify more than 50,000 new malware samples every day. These technologies correlate information on malware received from each computer to continuously improve the protection level for the worldwide community of users. Panda's 2010 solutions have continuous, real-time contact with this vast knowledge base allowing the company to offer users the fastest response against the new malware that appears every day.

News

Help your friends against viruses: share, save and subscribe to our security content. Thank you.

Rescue of Chilean miners used as new lure by banker Trojan, reports PandaLabs

Top scams on the Web

Panda Security Receives Top Score in Most Recent AV-Comparatives.org Security Su...

[+ News ]

RSS - News coverage on virus and intrusion prevention | TWITTER - PANDA SECURITY

Our Cloud Twitter | Web Map | Contact | Affiliates