Home / malwarePDF  

Trojan:Win32/Valden


First posted on 06 June 2013.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Valden.

Explanation :



Installation

When it runs, the trojan checks if an existing instance of itself is already running on your computer. If not, it will set the following registry entry to ensure that Internet Explorer checks for newer versions of webpages on every visit:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings
Sets Value: "SyncMode5"
With data: "0x00000003"

It also creates the following key to ensure that it runs each time you start your computer:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<variable value>" for example,"Tpbrx Eqnaeuwvn"
With data: "<full path of original malware file>"

It then checks your computer for the "Gbuster Anti Fraud" security software that is used by some major banks in Brazil. If it finds this software on your computer, it continues with its malicious payload. If not, the trojan will remain on your computer, and periodically check for "Gbuster Anti Fraud" security software.

If it finds "Gbuster Anti Fraud" security software on your computer, it drops a randomly-named file in the your temporary directory.

The trojan than checks for an open Internet Explorer or Mozilla Firefox browser, and if found, creates the following registry key:

In subkey: HKCU\<random file name> for example, "azrgLaFBG"
Sets value: "<random file name>" for example, "azrgLaFBG"
With data: "<browser's process ID>" for example, "0x00000670"

Note that the browser process ID varies on different computers.

It then runs the dropped file in the temporary directory using a randomly-named batch file, which is then deleted.



Payload

Steals online banking information

Trojan:Win32/Valden targets a number of Brazilian banks from which to steal online banking credentials.

In the wild, we've observed it targeting the following banking websites:

  • aapj.bb.com.br
  • bancobrasil.com.br
  • bradesco.com.br
  • bradescoprime.com.br
  • hsbc.com.br
  • hsbc.uniaodebancos.net
  • santandernet.com.br
  • sicredi.com.br


The trojan attempts to steal your online banking credentials, and details about your computer; it then sends this information to a remote host.

In the wild, we've observed it connecting to the following addresses for this purpose:

  • 188.126.79.80
  • 91.236.116.160
Additional information

To perform its information-stealing payload, the trojan injects code into the Internet Explorer or Mozilla Firefox browser DLL.

The injected then DLL hooks the following functions in wininet.dll, urlmon.dll and nspr4.dll to steal your banking credentials:

  • HttpSendRequestW
  • InternetCloseHandle
  • InternetQueryDataAvailable
  • InternetReadFile
  • InternetWriteFile
  • PR_OpenTCPSocket
  • PR_Read
  • PR_Write




Analysis by Jody Koo

Last update 06 June 2013

 

TOP

Malware :