McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• PWSteal.Refest (Symantec)

• Trj/Bankhook.A (Panda)

• TROJ_WEBMONEY.B (Trend)

• TrojanSpy.Win32.Small.aa (Kaspersky)

Characteristics

-- Update, June 30th 2004 --

The risk assessment of this threat has been upgraded to Low-Profiled due to media attention concerning a recent banking scam (see below).

A banking scam has been reported which involves this password-stealing trojan. Multiple components are involved in getting the trojan installed on the victim machine:

• Process originates from a compromised (using Exploit-MhtRedir ) Popup Adserver.
• The exploit code loads a CHM file (detected as Keylog-Lodis), bearing HTML content which contains another instance of Exploit-MhtRedir .
• This is used to run a downloading trojan (detected as Downloader-HW with the specified DATs) that downloads and installs the password-stealing trojan.

The trojan installed on the victim machine in this case is a Browser Helper Object (BHO) DLL:

• IEHOOK.DLL (49,040 bytes)

The system Registry is modified such that Internet Explorer loads it (with other, potentially legitimate BHOs) when started.

Once installed, the trojan captures data from HTTPS sessions, specifically to several banking sites. Domains containing any of the following strings are targetted:

• .anz.com
• .bendigobank.com.au
• .citibank.com
• .citibank.de
• .commbank.com.au
• .dab-bank.com
• .deutsche-bank.de
• .e-gold.com
• .hsbc.com.au
• .hsbc.com.hk
• .online-banking.standardchartered.com.hk
• .sparkasse-banking.de
• .stgeorge.com.au
• banking.lbbw.de
• banking.mashreqbank.com
• banknetpower.net
• barclays.co.uk
• cd.citibank.co.ae
• cibconline.cibc.com
• citibank.com.au
• dit-online.de
• easyweb.tdcanadatrust.com
• ebank.uae.hsbc.com
• ekocbank.kocbank.com.tr
• hercules.pamukbank.com.tr
• internetsube.akbank.com.tr
• lloydstsb.co.uk
• national.com.au
• nbd.ae
• online.nbad.com
• online-banking.standardchartered.ae
• pbg1.edc.citiaccess.com
• standardchartered.com
• suncorpmetway.com.au
• westpac.com.au
• www.alahlionline.com
• www.almubasher.com.sa
• www.arabi-online.com
• www.cbdonline.ae
• www.citibank.com.hk
• www.dahsing.com
• www.ebank.iba.com.hk
• www.privatebank.citibank.com.sg
• www.sabbnet.com
• www.samba.com
• www.scotiaonline.scotiabank.com
• www.unb.com
• www1.bmo.com
• www1.royalbank.com

Captured data is then sent via HTTP to be processed by a script residing on a remote server:

• www.refestltd.com

Administrators should block HTTP access to this domain.

--

Generic Description

This detection is for keylogging and data-capturing DLLs intended to log data entered by the victim whilst accessing online banking services.

It is likely that multiple malicious keylogging trojans are detected as such. For optimal detection please use the latest engine/DATs, and ensure the scanning of compressed files is enabled (default option).

The specific data that is targetted by the keylogger will vary. Typically, keystrokes entered within a window whose title contains strings associated with online banking/financial services are logged. For example:

• webmoney (for example BackDoor-CAY )
• paypal
• e-gold
• moneykeeper (for example, PWS-MoneyKeeper )

Typically, logged keystroke data for such sessions will contain sensitive data such as:

• user credentials (username, password)
• account numbers
• card numbers

The logged data is then transmitted back to the hacker. This is typically achieved via SMTP or HTTP (the exact mechanism will vary).

If you suspect such an infection, please submit a sample via www.webimmune.net .

Symptoms

Symptoms will vary between different keylogging trojans. Typically, the following may be observed:

• unexpected files on the system hooking system startup
• unexpected log file (ascii) bearing the hallmarks of keylogger output. For example, containing strings such as {Esc}, {F3}, {Bksp} etc.
• unexpected outgoing SMTP or HTTP traffic (local firewall alert) as log is transmitted to hacker.
• unexpected Browser Helper Objects (BHOs) installed on the victim machine. (This is done such that Internet Explorer loads the password-stealing trojan when started.)

Method of Infection

Keylogging and password-stealing trojans serve to steal sensitive data from the victim machine. This detection is intended for the DLL components of such threats. How the threat is delivered to the victim machine will vary, example vectors include:

• IRC
• P2P file sharing
• newsgroup postings
• HTTP download
• email spamming

As noted above, the threat may be installed onto the victim machine using other threats, or exploits. Exploit-MhtRedir has been used in this manner in compromising remote servers in order to install password-stealing trojans onto victim machines.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• PWSteal.Refest (Symantec)

• Trj/Bankhook.A (Panda)

• TROJ_WEBMONEY.B (Trend)

• TrojanSpy.Win32.Small.aa (Kaspersky)

Characteristics

Characteristics -

-- Update, June 30th 2004 --

The risk assessment of this threat has been upgraded to Low-Profiled due to media attention concerning a recent banking scam (see below).

A banking scam has been reported which involves this password-stealing trojan. Multiple components are involved in getting the trojan installed on the victim machine:

• Process originates from a compromised (using Exploit-MhtRedir ) Popup Adserver.
• The exploit code loads a CHM file (detected as Keylog-Lodis), bearing HTML content which contains another instance of Exploit-MhtRedir .
• This is used to run a downloading trojan (detected as Downloader-HW with the specified DATs) that downloads and installs the password-stealing trojan.

The trojan installed on the victim machine in this case is a Browser Helper Object (BHO) DLL:

• IEHOOK.DLL (49,040 bytes)

The system Registry is modified such that Internet Explorer loads it (with other, potentially legitimate BHOs) when started.

Once installed, the trojan captures data from HTTPS sessions, specifically to several banking sites. Domains containing any of the following strings are targetted:

• .anz.com
• .bendigobank.com.au
• .citibank.com
• .citibank.de
• .commbank.com.au
• .dab-bank.com
• .deutsche-bank.de
• .e-gold.com
• .hsbc.com.au
• .hsbc.com.hk
• .online-banking.standardchartered.com.hk
• .sparkasse-banking.de
• .stgeorge.com.au
• banking.lbbw.de
• banking.mashreqbank.com
• banknetpower.net
• barclays.co.uk
• cd.citibank.co.ae
• cibconline.cibc.com
• citibank.com.au
• dit-online.de
• easyweb.tdcanadatrust.com
• ebank.uae.hsbc.com
• ekocbank.kocbank.com.tr
• hercules.pamukbank.com.tr
• internetsube.akbank.com.tr
• lloydstsb.co.uk
• national.com.au
• nbd.ae
• online.nbad.com
• online-banking.standardchartered.ae
• pbg1.edc.citiaccess.com
• standardchartered.com
• suncorpmetway.com.au
• westpac.com.au
• www.alahlionline.com
• www.almubasher.com.sa
• www.arabi-online.com
• www.cbdonline.ae
• www.citibank.com.hk
• www.dahsing.com
• www.ebank.iba.com.hk
• www.privatebank.citibank.com.sg
• www.sabbnet.com
• www.samba.com
• www.scotiaonline.scotiabank.com
• www.unb.com
• www1.bmo.com
• www1.royalbank.com

Captured data is then sent via HTTP to be processed by a script residing on a remote server:

• www.refestltd.com

Administrators should block HTTP access to this domain.

--

Generic Description

This detection is for keylogging and data-capturing DLLs intended to log data entered by the victim whilst accessing online banking services.

It is likely that multiple malicious keylogging trojans are detected as such. For optimal detection please use the latest engine/DATs, and ensure the scanning of compressed files is enabled (default option).

The specific data that is targetted by the keylogger will vary. Typically, keystrokes entered within a window whose title contains strings associated with online banking/financial services are logged. For example:

• webmoney (for example BackDoor-CAY )
• paypal
• e-gold
• moneykeeper (for example, PWS-MoneyKeeper )

Typically, logged keystroke data for such sessions will contain sensitive data such as:

• user credentials (username, password)
• account numbers
• card numbers

The logged data is then transmitted back to the hacker. This is typically achieved via SMTP or HTTP (the exact mechanism will vary).

If you suspect such an infection, please submit a sample via www.webimmune.net .

Symptoms

Symptoms -

Symptoms will vary between different keylogging trojans. Typically, the following may be observed:

• unexpected files on the system hooking system startup
• unexpected log file (ascii) bearing the hallmarks of keylogger output. For example, containing strings such as {Esc}, {F3}, {Bksp} etc.
• unexpected outgoing SMTP or HTTP traffic (local firewall alert) as log is transmitted to hacker.
• unexpected Browser Helper Objects (BHOs) installed on the victim machine. (This is done such that Internet Explorer loads the password-stealing trojan when started.)

Method of Infection

Method of Infection -

Keylogging and password-stealing trojans serve to steal sensitive data from the victim machine. This detection is intended for the DLL components of such threats. How the threat is delivered to the victim machine will vary, example vectors include:

• IRC
• P2P file sharing
• newsgroup postings
• HTTP download
• email spamming

As noted above, the threat may be installed onto the victim machine using other threats, or exploits. Exploit-MhtRedir has been used in this manner in compromising remote servers in order to install password-stealing trojans onto victim machines.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A