PWS-Banker.y!hosts

Content

PWS-Banker.y!hosts

Type: Trojan
SubType: Password Stealer
Discovery Date: 06/21/2005
Length: Various
Minimum DAT: 4518 (06/21/2005)
Updated DAT: 4518 (06/21/2005)
Minimum Engine: 5.1.00
Description Added: 06/21/2005
Description Modified: 06/22/2005 2:58 AM (PT)

Risk Assessment

Corporate User: Low
Home User: Low

Tab Navigation

Characteristics

This detection is for the change in the local hosts file as a result of executing the PWS-Banker.y trojan.

The local hosts file is overwritten by this trojan. In some cases this resulted in a zero byte hosts file being left on the infected system whereas in other cases, the hosts file may resemble something similar to that of the example in the symptoms section below.

Typically, the local hosts file is located in the following location:

%SYSTEMROOT%\System32\drivers\etc

Symptoms

Please note that spaces have been added to the URLs below and the IP addresses have been substituted for a.b.c.d

a.b.c.d onlineaccounts2.abbeynational.co.uk
a.b.c.d www3 .aibgbonline.co.uk
a.b.c.d www .bank.alliance-leicester.co.uk
a.b.c.d login.iblogin.com
a.b.c.d ww2 .bankofscotlandhalifax-online.co.uk
a.b.c.d inet.barclays.co.uk
a.b.c.d iibank.barclays.co.uk
a.b.c.d iibank.cahoot.com
a.b.c.d www3 .coventrybuildingsociety.co.uk
a.b.c.d ww .hsbc.co.uk
a.b.c.d login.ebank.offshore.hsbc.co.je
a.b.c.d ww3 .online-offshore.lloydstsb.com
a.b.c.d ww3 .online-business.lloydstsb.co.uk
a.b.c.d ww3 .online.lloydstsb.co.uk
a.b.c.d ob2.nationet.com
a.b.c.d ww3 .onlinebanking.natwestoffshore.com
a.b.c.d ww1 .nwolb.com
a.b.c.d ww1 .onlinebanking.iombank.com
a.b.c.d ww1 .www .rbsdigital.com
a.b.c.d welcome.smile.co.uk
a.b.c.d login.365online.com
a.b.c.d wvw.citizensbankonline.com
a.b.c.d esecure.regionsnet.com
a.b.c.d rollb.associatedbank.com
a.b.c.d upb.unionplanters.com
a.b.c.d www .onlinebanking.huntington.com
a.b.c.d inet.southtrustonlinebanking.com
a.b.c.d logon.personal.wamu.com
a.b.c.d login.compassweb.com
a.b.c.d logon.firstmeritib.com
a.b.c.d login.ccfcuonline.org
a.b.c.d ww3 .etimebanker.bankofthewest.com
a.b.c.d www .onlinebanking.lasallebank.com
a.b.c.d wvw .totallyfreebanking.com
a.b.c.d www .online.wellsfargo.com
a.b.c.d ww2 .onlinebanking.bankofoklahoma.com
a.b.c.d accounts4.keybank.com
a.b.c.d logon.bankone.com
a.b.c.d www .secure.tdbanknorth.com
a.b.c.d www .secure.mvnt4.com
a.b.c.d ww .mynfbonline.com
a.b.c.d login.forumcuonline.com
a.b.c.d www .eds.usersonlnet.com
a.b.c.d www .onlineid.bankofamerica.com
a.b.c.d wvw .e-gold.com
a.b.c.d pcbs.peoples.com
a.b.c.d www .global1.onlinebank.com
a.b.c.d ww2 .mybranch.lafcu.com
a.b.c.d login.webbanking.comerica.com
a.b.c.d web.banking.firsttennessee.com
a.b.c.d logon.members1st.org
a.b.c.d www .cib.ibanking-services.com
a.b.c.d www .miwebbusbank.ebanking-services.com
a.b.c.d wvw .paypal.com
a.b.c.d www .signin.ebay.com
a.b.c.d www .bvi.bancodevalencia.es
a.b.c.d extrant.banesto.es
a.b.c.d banesnt.banesto.es
a.b.c.d activia.caixagalicia.es
a.b.c.d www .bancae.caixapenedes.com
a.b.c.d login.caixasabadell.net
a.b.c.d oii.cajamadrid.es
a.b.c.d login.cajamar.es
a.b.c.d login.ccm.es
a.b.c.d ww .unicaja.es
a.b.c.d ww .bayernlb.de
a.b.c.d ww2 .berliner-volksbank.de
a.b.c.d ww7 .homebanking-berlin.de
a.b.c.d portal09.commerzbanking.de
a.b.c.d www .onlinebanking.huntington.com
a.b.c.d www .meine.deutsche-bank.de
a.b.c.d ww2 .dresdner-privat.de
a.b.c.d ww .e-banking.helaba.de
a.b.c.d ww .hsh-nordbank.de
a.b.c.d www .my.hypovereinsbank.de
a.b.c.d ww3 .homebanking-berlin.de
a.b.c.d www .banking.lbbw.de
a.b.c.d lrp.sparkasse-banking.de
a.b.c.d ww3 .homebanking-niedersachsen.de
a.b.c.d www .onlinebanking.norisbank.de
a.b.c.d www .banking.postbank.de
a.b.c.d ww .bics.fr
a.b.c.d www .co.caixabank.fr
a.b.c.d ww .creditmutuel.fr
a.b.c.d internetbank.intesabci.it
a.b.c.d ww .extensive.bancalombarda.it
a.b.c.d wvw .csebanking.it
a.b.c.d www .mybank.bybank.it
a.b.c.d ww .isideonline.it
a.b.c.d ww3 .sella.it

Method of Infection

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This detection is for the change in the local hosts file as a result of executing the PWS-Banker.y trojan.

Typically, the local hosts file is located in the following location:

%SYSTEMROOT%\System32\drivers\etc

Symptoms

Symptoms -

Please note that spaces have been added to the URLs below and the IP addresses have been substituted for a.b.c.d

Method of Infection

Method of Infection -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A

McAfee > Theat Center > Virus Detail Page

Navigation

Utility Navigation

Content