Tuesday, July 6, 2010


While in operation, the virus searches for the presence of a running Internet Explorer instance which uses DDE (Dynamic Data Exchange). If such instance is found, the spy-banker checks for banking URLs it has been instructed to monitor and displays a fake web browser window that looks identical to the bank’s login system. Of course, if the user logs in, his/her credentials will actually land in the attacker’s inbox.

It is no secret that banker-Trojans spring mostly from Brazil and Trojan.Spy.Banker.ABGS is no exception to the rule.