McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• PWSteal.Tarno.R (Symantec)

• Trj/Banker.M (Panda)

• Troj/CashGrab-L (Sophos)

• TROJ_DELF.AGR (Trend Micro)

Characteristics

PWS-Cashgrabber monitors internet explorer for certain banking websites, attempting to steal information if it finds them. It then attempts to send the logged data to a remote website.

When executed, the trojan creates the following folders which are used to store configuration files:

%Root%\abrams
%WINDIR%\%SYSTEM%\arcada
%WINDIR%\%SYSTEM%\svact
%WINDIR%\%SYSTEM%\svcontr
%WINDIR%\%SYSTEM%\svskn

The following files are created:

%Root%\setup.cmd
%WINDIR%\%SYSTEM%2\ierror.rep
%WINDIR%\%SYSTEM%\sui.dll
%WINDIR%\%SYSTEM%\svchost.dll   (206,438 bytes)
%WINDIR%\%SYSTEM%\winsetup.exe (25,190 bytes)
%WINDIR%\%SYSTEM%\wint.ini
%WINDIR%\%SYSTEM%\winte.html
%WINDIR%\%SYSTEM%\svact\004.act
%WINDIR%\%SYSTEM%\svact\011.act
%WINDIR%\%SYSTEM%\svact\013.act
%WINDIR%\%SYSTEM%svskn\004.sns
%WINDIR%\%SYSTEM%svskn\011.sns
%WINDIR%\%SYSTEM%svskn\013.sns

The file "svchost.dll" is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer so that it runs every time Internet Explorer starts.
It registers itself by creating the following registry keys:

HKEY_CLASSES_ROOT\svchost.Update\
HKEY_CLASSES_ROOT\CLSID\{3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\{3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}

"LOCAL SERVICE" = "%WINDIR%\%SYSTEM%\svchost.dll"

"svchost.dll" is detected as PWS-Cashgrabber.

The file "setup.cmd" is used to delete the original trojan file that was executed. It display the message "Microsoft has you" multiple times followed by "Microsoft has you - Complict!".  This file deletes itself after it has accomplished this.

The file winsetup.exe is detected as Generic Delphi trojan.
The other files are all configuration/log files.

Symptoms

Monitors the following banking websites, attempting to steal information when a user visit them,

barclays.co.uk
hsbc.co.uk
olb2.nationet.com
deutsche-bank.de
nwolb.com

Monitors windows and web pages with the following strings:

gold
cash
bank
user
parol
firma
clave
trans
porcue
memorable
secret

Logs information gathered into the following files:

%System%\wint.ini
%System%\ierror.rep
%System%\sui.dll

Periodically sends information it gathers to the following URL:

http://williamell.com/ndppbzn/[censored]

Method of Infection

PWS-Cashgrabber was downloaded by Downloader-ATM  which was spammed out widely to users as an email attachment.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• PWSteal.Tarno.R (Symantec)

• Trj/Banker.M (Panda)

• Troj/CashGrab-L (Sophos)

• TROJ_DELF.AGR (Trend Micro)

Characteristics

Characteristics -

PWS-Cashgrabber monitors internet explorer for certain banking websites, attempting to steal information if it finds them. It then attempts to send the logged data to a remote website.

When executed, the trojan creates the following folders which are used to store configuration files:

%Root%\abrams
%WINDIR%\%SYSTEM%\arcada
%WINDIR%\%SYSTEM%\svact
%WINDIR%\%SYSTEM%\svcontr
%WINDIR%\%SYSTEM%\svskn

The following files are created:

%Root%\setup.cmd
%WINDIR%\%SYSTEM%2\ierror.rep
%WINDIR%\%SYSTEM%\sui.dll
%WINDIR%\%SYSTEM%\svchost.dll   (206,438 bytes)
%WINDIR%\%SYSTEM%\winsetup.exe (25,190 bytes)
%WINDIR%\%SYSTEM%\wint.ini
%WINDIR%\%SYSTEM%\winte.html
%WINDIR%\%SYSTEM%\svact\004.act
%WINDIR%\%SYSTEM%\svact\011.act
%WINDIR%\%SYSTEM%\svact\013.act
%WINDIR%\%SYSTEM%svskn\004.sns
%WINDIR%\%SYSTEM%svskn\011.sns
%WINDIR%\%SYSTEM%svskn\013.sns

The file "svchost.dll" is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer so that it runs every time Internet Explorer starts.
It registers itself by creating the following registry keys:

HKEY_CLASSES_ROOT\svchost.Update\
HKEY_CLASSES_ROOT\CLSID\{3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\{3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}

"LOCAL SERVICE" = "%WINDIR%\%SYSTEM%\svchost.dll"

"svchost.dll" is detected as PWS-Cashgrabber.

The file "setup.cmd" is used to delete the original trojan file that was executed. It display the message "Microsoft has you" multiple times followed by "Microsoft has you - Complict!".  This file deletes itself after it has accomplished this.

The file winsetup.exe is detected as Generic Delphi trojan.
The other files are all configuration/log files.

Symptoms

Symptoms -

Monitors the following banking websites, attempting to steal information when a user visit them,

barclays.co.uk
hsbc.co.uk
olb2.nationet.com
deutsche-bank.de
nwolb.com

Monitors windows and web pages with the following strings:

gold
cash
bank
user
parol
firma
clave
trans
porcue
memorable
secret

Logs information gathered into the following files:

%System%\wint.ini
%System%\ierror.rep
%System%\sui.dll

Periodically sends information it gathers to the following URL:

http://williamell.com/ndppbzn/[censored]

Method of Infection

Method of Infection -

PWS-Cashgrabber was downloaded by Downloader-ATM  which was spammed out widely to users as an email attachment.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A