Looking at a banking Trojan right now.

[Gabethebabe]

So yesterday some friend of mine sent me an e-mail with a banking trojan attachment (of course, the Trojan autosent itself to his address book).
Kewl. Something for me to play with in my virtual machine.

I installed the Trojan on my virtual XP system and noted two things I didn´t quite understand:
- The hijackthis log showed it added a line like the following:
O2 - BHO: (no name) - {D08E9241-FE51-4768-80D4-338E371AC294}80D4-338E371AC294} - (no file)

Question: What does a line like this do if there is no file attached to it? I was under the impression that BHO lines with (no file) did not have any effect.

The trojan emptied the windows prefetch folder upon installation. Why would it do that?

Let´s see if there are some specialists in this forum

Anyway: the trojan was very easy to remove. Disable two lines in the hijackthis log, restart and delete the installed files. Bah, way too easy. I´m looking forward to receive an e-mail attachment that installs something that is more challenging, like some nasty rootkit

[bonishah88]

The trojan emptied the windows prefetch folder upon installation. Why would it do that?

Have you ever noticed that whenever you run a program the first time, it takes a bit longer than the subsequent runs ? Its because of the prefetch folder.Each time you run a new program, Windows saves this information as a number of small files in the prefetch folder. The next time you turn on your computer, Windows refers to these files to help speed the start process. i.e. loads it prior to your running it so that it can be executed faster.like a cache.

so i think that the trojan emptied the folder because it might be wanting to inject codes into the exe files(original and not in the cache) and run the modified files.

[macman]

any reason to install a virus,sorry i not aware

[ceyfer]

Looking at a banking Trojan right now.

Use your adobe reader and call Zeus...

If you don't have the right set-up/ testing box and proper knowledge/training,then don't try to play with the said nasty stuff.

[safeguy]

@bonishah

Good to see that you know some things regarding prefetch but be aware of the words you use....prefetch folder is NOT like a cache...I suggest you read Ed Bott's article about it to get a better understanding of it

One more time: do not clean out your Prefetch folder!

The only 'reason' I can think of right now as to why the Trojan emptied your Windows prefetch folder is this:

Despite some claims that clearing the contents of the prefetch folder can speed up boot time (some experts like Ed Bott believes that it's a bogus tip while others say it works), the fact is clearing the contents of the prefetch folder MAY degrade Windows performance as "Windows has to re-create the trace files the next time you run the program"

Perhaps that is what the Trojan intended to do by removing the contents of the Windows prefetch folder upon installation...it might have wanted to slow down Windows or the launching of certain apps....I'm merely guessing but this is the best logical reasoning I can think of right now...

And yes, I disagree with bonishah's thoughts (I find it funny):

so i think that the trojan emptied the folder because it might be wanting to inject codes into the exe files(original and not in the cache) and run the modified files.

Reason: Prefetch folder is NOT like cache And a virus/trojan doesn't need to modify prefetch files in order to inject does into an .exe file lol

[Gabethebabe]

any reason to install a virus,sorry i not aware

It is easier to beat ur enemy if you know how he works. Also probably I'm a geek.

Anyway, I know what the prefetches do, as I read the wikipedia article before posting here and I still cannot figure out why the malware would get rid of those files.

[Ibrad]

Can you upload that sample to virus total and post the results. I am kinda wondering who detects it

[ceyfer]

Can you upload that sample to virus total and post the results. I am kinda wondering who detects it

Please read...

We are rather tired of repeating that VirusTotal was not designed as a tool to perform AV comparative analyses, but as a tool that checks suspicious samples with several AV programs and helps AV labs by forwarding them the malware they failed to detect. Those who use VirusTotal to perform AV comparative analyses should know that they are making many implicit errors in the methodology, the most obvious being:

- VirusTotal AV engines are commandline versions, so depending on the product, they will not behave quite like the desktop versions: for instance, in such cases when desktop solutions use techniques based on behavioral analysis and count on personal firewalls that may decrease entry points and mitigate propagation, etc.

- In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.

-blog.hispasec.com

[Gabethebabe]

Can you upload that sample to virus total and post the results. I am kinda wondering who detects it

I already did that and the score was like 12/41. I think the dropper is quite new but the trojan is not. Norton IS informed me that less than 10 of its users had encountered the dropper.

Anyway, that was not what I made this thread for. Looks like I´m going to have a find another forum to post my questions.

[hellnoire]

Question: What does a line like this do if there is no file attached to it? I was under the impression that BHO lines with (no file) did not have any effect.

The trojan emptied the windows prefetch folder upon installation. Why would it do that?

My logic (or at least from my understanding, when I was using HijackThis.de), is that the BHO (no files) are holes left in your system so a worm could root it's way in. That's why nearly all 'auto-analysising' systems and all malware experts I've seen have said to remove them.

And as for the second part... I'd think to slow you down. It seems a little random for a trojan, but... I don't know. That has me stumped too.