W32.Bambo


Aliases: Trojan.WebMoney.Keepcar, PWS-Narod
Variants: W32.Bambo.gen, TROJ_WEBMONER.B

Classification: Malware
Category: Trojan Horse

Status: Active and Spreading
Spreading: Slow
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 02 Jul 2003
Damage: Low

Characteristics: The Trojan W32.Bambo program is a malware specifically created for stealing WebMoney Keeper files in a target computer system.

More details about W32.Bambo

Aside from stealing WebMoney Keeper files, the Trojan W32.Bambo program can also capture data from the clipboard and regularly log the user’s key strokes. WebMoney is a system for electronic money and online payment. Each transaction is conducted via WebMoney Transfer. This online payment scheme originated in Belize and its initial customers were from Russia. Presently, WebMoney is used worldwide and they cater to approximately 6 million users. WebMoney provides its users with free applications such as the WM Keeper Classic to aid users in organizing their WebMoney transactions. This free application is installed on the user’s machine and the files with the .pwm and .kwm (WebMoney keeper files) used for this application are the files targeted by the W32.Bambo Trojan program.

When installed and run in the target computer, this Trojan will make copies of itself as C:\ Windows\ System\ Load32.exe, C:\ Windows\ System Vxdmgr32.exe, C:\ Windows\ Dllreg.exe, and C:\ Windows\ StartUp\ rundllw.exe. It will then proceed to add certain registry keys so that it can run with Windows upon startup. The Trojan then alters the System.ini file’s shell=line to shell=explorer.exe C:\ WINDOWS\ SYSTEM\ vxdmgr32.exe. It will also drop and run the C:\ Windows\ Sysdrv.exe file to end all processes it has flagged as security related. After the system alterations, the Trojan will capture data from the clipboard, log key strokes, find WebMoney files, and then send these to a predefined email address.