Follow:

You have been re-routed to the Trojan:Win32/Eupuds.A write up because Trojan%3aWin32%2fEupuds.A has been renamed to Trojan:Win32/Eupuds.A
 

Trojan:Win32/Eupuds.A


Microsoft security software detects and removes this threat.

The threat can collect your login details and other information from banking software, such as that used by the Boleto payment system. It can also steal your details from banking websites such as Banco Bradesco and Caixa Economica Federal banks.

This threat might have been installed on your PC by other malware.

Find out ways that malware can get on your PC.  



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

The threat drops a copy of itself into the %APPDATA% using an eight-character file name made up of random letters and numbers.

It makes itself run each time you start your PC by adding a reference to the dropped file in the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

It also creates the registry key HKCU\Software\SNYASVD5208.

The threat searches for the following processes and injects a DLL component into them:

  • chrome.exe - Chrome web browser
  • explore.exe - Windows file explorer
  • firefox.exe - Firefox web browser
  • iexplore.exe - Internet Explorer web browser
Payload

Steals banking-related information

The threat tries to steal information about transactions you make using the Boleto payment system. It intercepts Boletos that are received by you and then changes them to steal the payments you try to make on that Boleto.

It looks for websites that use the following keywords:

  • boleto
  • pagador.com.br

It avoid avoids website URLs that contain the following:

  • .bmp
  • .flv
  • .gif
  • .jpg
  • .jpeg
  • .png
  • .swf
  • facebook.com
  • hotmail.com
  • live.com


If an intercepted message contains the URL string facebookxxx.com/ajax/mercury/send_messages.php, the threat tries to send a message to the group in the string.

Note: This website is not related to facebook.com and is currently down.

Steals login details

The threat tries to steal your login details, such as your username and password from https://login.live.com/ if you visit it while you're PC is infected.

It also tries to steal login details from Facebook and Hotmail.

Sends information to a remote server

Along with stealing your login details, the threat also steals information about your version of Windows and what Internet browser you use.

The threat connects to the following IPs to send the information it has collected:

  • 205.234.130.208
  • 216.246.91.224

It access the following pages:

  • /eupds.php
  • /mfb.php

Changes security files

The threat changes the following files (in memory) to avoid detection:

  • gbieh.dll
  • gbiehabn.dll
  • gbiehcef.dll
  • gbiehscd.dll
  • gbiehuni.dll
  • gbpdist.dll

These files might be used by banking software, such as that belonging to Banco Bradesco and Caixa Economica Federal banks. 

Additional information

Hooks APIs

The threat hooks the following APIs to inject code, which it uses for monitoring what your are doing on the Internet: 

  • kernel32.dll - CreateProcessAsUserW
  • kernel32.dll - CreateProcessW
  • kernel32.dll - GetSystemTimeAsFileTime
  • nspr4.dll - PR_Close
  • nspr4.dll - PR_OpenTCPSocket
  • nspr4.dll - PR_Read
  • nspr4.dll - PR_Write
  • wininet.dll - HttpSendRequestA
  • wininet.dll - HttpSendRequestW
  • wininet.dll - InternetCloseHandle
  • wininet.dll - InternetQueryDataAvailable
  • wininet.dll - InternetReadFile
  • wininet.dll - InternetReadFileExA
  • wininet.dll - InternetWriteFile

It creates a mutex which could be an infection marker to prevent more than one copy of the threat running on your PC. We have seen it use the names RasPbFilezSh and DynGateInstanceMutexS for the mutex.

Analysis by Zarestel Ferrer


Symptoms

Alerts from your security software may be the only symptom.


Prevention


Alert level: Severe
First detected by definition: 1.143.1532.0
Latest detected by definition: 1.183.935.0 and higher
First detected on: Feb 04, 2013
This entry was first published on: Jul 02, 2014
This entry was updated on: Jul 03, 2014

This threat is also detected as:
  • Trojan.Win32.Eupuds (Ikarus)