McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.VB.jj (Kaspersky)

• PWSteal.Bancos (Symantec)

• TROJ_BANCOS.A (Trend)

• TROJ_BANCOS.B (Trend)

Characteristics

This is a password stealing trojan that captures bank account information (username/password) and sends this information to the author via ftp.

There are several variants of the trojan. The description is a general guide.  Newer variants require the latest DAT files for detection and cleaning.

Some variants come with dropper exes.  When the dropper exes run, the following message boxes might be displayed:

The dropper copies the main trojan to the local file system.  One of the following file names is used by the trojan.   

• %Sysdir%\winmaxy.exe
• %Sysdir%\winmax.exe
• %Sysdir%\SYS_386X\inicio.exe 

Where %Sysdir% is the Windows system directory.

One of the following registry keys is created to load the trojan at Windows start up.

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "win_(4 random letters + 4 random digits" = "%Sysdir%\SYS_386X\inicio.exe"
  
  (or) "WinMenssage" = %Sysdir%\winmaxy.exe
  
  (or) "WinMenssage" = %Sysdir%\winmax.exe

The trojan monitors Internet Explorer windows.  If a certain web page is displayed, the trojan will display one of its own web pages.  The trojan attemps to upload the information entered to ftp site: ftp.kit.net .  The following, is a web page screen capture:

Symptoms

Existence of files and registry keys mentioned above.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.VB.jj (Kaspersky)

• PWSteal.Bancos (Symantec)

• TROJ_BANCOS.A (Trend)

• TROJ_BANCOS.B (Trend)

Characteristics

Characteristics -

This is a password stealing trojan that captures bank account information (username/password) and sends this information to the author via ftp.

There are several variants of the trojan. The description is a general guide.  Newer variants require the latest DAT files for detection and cleaning.

Some variants come with dropper exes.  When the dropper exes run, the following message boxes might be displayed:

The dropper copies the main trojan to the local file system.  One of the following file names is used by the trojan.   

• %Sysdir%\winmaxy.exe
• %Sysdir%\winmax.exe
• %Sysdir%\SYS_386X\inicio.exe 

Where %Sysdir% is the Windows system directory.

One of the following registry keys is created to load the trojan at Windows start up.

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "win_(4 random letters + 4 random digits" = "%Sysdir%\SYS_386X\inicio.exe"
  
  (or) "WinMenssage" = %Sysdir%\winmaxy.exe
  
  (or) "WinMenssage" = %Sysdir%\winmax.exe

The trojan monitors Internet Explorer windows.  If a certain web page is displayed, the trojan will display one of its own web pages.  The trojan attemps to upload the information entered to ftp site: ftp.kit.net .  The following, is a web page screen capture:

Symptoms

Symptoms -

Existence of files and registry keys mentioned above.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A