Content
PWS-Banker
- Type
- Trojan
- SubType
- Password Stealer
- Discovery Date
- 06/30/2004
- Length
- 10,416 bytes
- Minimum DAT
- 4354 (04/28/2004)
- Updated DAT
- 5296 (05/15/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 04/28/2004
- Description Modified
- 07/02/2004 3:28 AM (PT)
Tab Navigation
Characteristics
This is a password stealing trojan that captures keystrokes and sends notification and captured information to the author via http.
There are several variants of the trojan. The description is a general guide.
Online email and bank account information (username/password) is particularly vulnerable to this threat. The following online banking sites are targeted:
- exhosting.biz
- hsbc
- banks
- bank
- offshore
- casino
- e-gold
- paypal
- ebay
- banc
- banque
- egold
- ikobo
- yambo
- keybank
- citibank
- fidelity
- datek
- schwab
- optionalexpres
- ameritrade
- huntington
- banco
- planters
- westpac
- national.com.au
- stgeorge
- wachovia
- wellsfargo
- bookers
- etrade
- barrington
- fleet
When run, the trojan drops a DLL into the C:\WINDOWS\SYSTEM directory. The filename is
- lsd_f3.dll
This DLL is loaded at startup by hooking the following registry key:
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
\MPRServices\TestService "DllName" = lsd_f3.dll
The trojan also creates a log file in C:\ directory. The following file name is used:
- log.txt
Symptoms
Existence of files and registry keys mentioned above.
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Variants
Variants
N/A
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Characteristics
Characteristics -
This is a password stealing trojan that captures keystrokes and sends notification and captured information to the author via http.
There are several variants of the trojan. The description is a general guide.
Online email and bank account information (username/password) is particularly vulnerable to this threat. The following online banking sites are targeted:
- exhosting.biz
- hsbc
- banks
- bank
- offshore
- casino
- e-gold
- paypal
- ebay
- banc
- banque
- egold
- ikobo
- yambo
- keybank
- citibank
- fidelity
- datek
- schwab
- optionalexpres
- ameritrade
- huntington
- banco
- planters
- westpac
- national.com.au
- stgeorge
- wachovia
- wellsfargo
- bookers
- etrade
- barrington
- fleet
When run, the trojan drops a DLL into the C:\WINDOWS\SYSTEM directory. The filename is
- lsd_f3.dll
This DLL is loaded at startup by hooking the following registry key:
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
\MPRServices\TestService "DllName" = lsd_f3.dll
The trojan also creates a log file in C:\ directory. The following file name is used:
- log.txt
Symptoms
Symptoms -
Existence of files and registry keys mentioned above.
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
