WORM_LUDER.USR
Posted: May 9, 2013
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 5/10 |
|---|---|
| Infected PCs: | 30 |
| First Seen: | May 9, 2013 |
|---|---|
| Last Seen: | December 13, 2022 |
| OS(es) Affected: | Windows |
With past examples like Trojan-Banker.Win32.Banbra.atfl, TSPY_BANKER.EUIQ and Trojan.Komodola, Brazil is a very popular country for malware authors interested in attacking bank accounts, and WORM_LUDER.USR simply is one of the most recent forms of PC threats to be designed for that purpose. Distributed through forum spam links along with a specialized web browser, WORM_LUDER.USR is disguised as a free bank plugin but actually steals the account information that's entered into the included browser. Currently, the Banco do Brasil (Bank of Brazil) is the main bank targeted in these attacks, although similar PC threats have been known to target other online banks, particularly those operating in Brazil. Of course, SpywareRemove.com malware experts encourage any potential victims to avoid installing any software from strange sources like the above, including specialized web browsers, but if you need to remove WORM_LUDER.USR from your computer, a good anti-malware program should be sufficient.
Why Random Forum Posters Shouldn't Be Used as Software Sources
WORM_LUDER.USR is marketed through forum posts (and potentially other methods) that promote WORM_LUDER.USR and the accompanying browser as utilities for logging in to the Bank of Brazil without needing to use its security plugin by tricking the site into thinking that your special browser is an iPhone. Although this browser does navigate directly to the Banco do Brasil website and does, in fact, do what it claims to do, launching the 'plugin' of WORM_LUDER.USR beforehand (as the directions instruct users to do) will allow WORM_LUDER.USR to steal your bank account's login information.
Anti-malware programs may detect WORM_LUDER.USR as Worm:Win32/Rebhip.A or Worm.Win32.Luder.tvz. The browser that's designed to work with WORM_LUDER.USR also may be detected as a variant of Parite (which sometimes is identified as a virus). Both WORM_LUDER.USR and its browser are specific to Windows, but can attack multiple versions of that OS.
SpywareRemove.com malware researchers also warn that, as with any worm, you should be prepared for the possibility of WORM_LUDER.USR using your PC to infect other computers. WORM_LUDER.USR may infect any accessible flash drives, travel through local networks or use your PC for posting a new series of forum spam messages. Appropriate precautions should be taken to keep WORM_LUDER.USR from infecting any other computers that may be vulnerable to these attacks originating from your own.
A Pesticide That Even a Digital Thief Can't Beat
SpywareRemove.com malware experts never recommend installing software from sources like the one outlined in this article, and particularly emphasize what a spectacularly bad idea it is to log in to your bank account while intentionally circumventing the bank's security procedures. WORM_LUDER.USR cannot steal your bank credentials without you intentionally using its browser and entering your information, and so, appropriate PC user education and caution are the absolute best ways to protect your PC and money from WORM_LUDER.USR attacks.
In cases where you or someone you know has fallen for WORM_LUDER.USR's scam, SpywareRemove.com malware experts note that you should consider the relevant bank account to be compromised. Contact the Banco do Brasil for any advice on how to protect your account from any fraudulent transactions, and use anti-malware applications to delete WORM_LUDER.USR and its browser from your computer. While you're scanning for WORM_LUDER.USR, you also should pay particularly close attention to any removable hard drives (such as a common USB-based flash drive) and network-accessible locations that may be exploited by WORM_LUDER.USR.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:Navegador BB.exe
File name: Navegador BB.exeFile type: Executable File
Mime Type: unknown/exe
Group: Malware file
Plugin_Navegador_2.1.3.exe
File name: Plugin_Navegador_2.1.3.exeFile type: Executable File
Mime Type: unknown/exe
Group: Malware file
%System%\install\server.exe
File name: %System%\install\server.exeFile type: Executable File
Mime Type: unknown/exe
Group: Malware file
%User Temp%\[RANDOM FILE NAME].tmp
File name: %User Temp%\[RANDOM FILE NAME].tmpFile type: Temporary File
Mime Type: unknown/tmp
Group: Malware file
%Application Data%\logs.dat
File name: %Application Data%\logs.datFile type: Data file
Mime Type: unknown/dat
Group: Malware file
%User Temp%\XX--XX--XX.TXT
File name: %User Temp%\XX--XX--XX.TXTMime Type: unknown/TXT
Group: Malware file
%User Temp%\XxX.xXx
File name: %User Temp%\XxX.xXxMime Type: unknown/xXx
Group: Malware file
%User Temp%\UuU.uUu
File name: %User Temp%\UuU.uUuMime Type: unknown/uUu
Group: Malware file
Registry Modifications
HKEY..\..\{Value}HKEY_CURRENT_USER\Software\vítima "FirstExecution" = "{current date and time with this format: dd/mm/yyy -- hh:mm}"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}StubPath = "%System%\install\server.exe"HKEY_CURRENT_USER\Software\vítima "NewIdentification" = "vítima"HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\vítimaHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}HKEY_CURRENT_USER\Software\vítimaHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run Policies = "%System%\install\server.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKCU = "%System%\install\server.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM = "%System%\install\server.exe"
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.