Content
PWS-Banker.y
- Type
- Trojan
- SubType
- Password Stealer
- Discovery Date
- 06/21/2005
- Length
- 37841 bytes
- Minimum DAT
- 4518 (06/21/2005)
- Updated DAT
- 4518 (06/21/2005)
- Minimum Engine
- 5.1.00
- Description Added
- 06/21/2005
- Description Modified
- 06/22/2005 4:58 AM (PT)
Tab Navigation
Characteristics
This variant of password-stealing trojan appears to target numerous banking organisations, which are best described in the PWS-Banker.y!hosts VIL description's Symptoms section.
The actual sample analysed was packed (compressed) using the FSG packager.
After being manually executed, the trojan moves itself to the following location:
- %SYSTEMROOT%\System32
As the following filename (irrespective of the filename when executed):
- nbthlp.exe
The trojan modifies the registry so that it is executed again when, or if the system is restarted by adding a keyvalue called "Netbios Helper
" to the following key, which points to the file in the aforementioned location:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run
This trojan also overwrites the local hosts file with an IP address and numerous URLs for websites related to online banking. Please see the PWS-Banker.y!hosts VIL description for more information.
Symptoms
Symptoms of this infection include the presence of some or all of the information in the characteristics section (above):
- The startup hook registry key pointing to the file on disk.
- The presence of the file in the system32 folder
- The presence of a modified hosts file
Method of Infection
This trojan requires manual execution for it to run and infect the system.
As previously mentioned, the original filename doesn't have to be nbthlp.exe
so it may have a different, more enticing filename.
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Variants
Variants
N/A
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Characteristics
Characteristics -
This variant of password-stealing trojan appears to target numerous banking organisations, which are best described in the PWS-Banker.y!hosts VIL description's Symptoms section.
The actual sample analysed was packed (compressed) using the FSG packager.
After being manually executed, the trojan moves itself to the following location:
- %SYSTEMROOT%\System32
As the following filename (irrespective of the filename when executed):
- nbthlp.exe
The trojan modifies the registry so that it is executed again when, or if the system is restarted by adding a keyvalue called "Netbios Helper
" to the following key, which points to the file in the aforementioned location:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run
This trojan also overwrites the local hosts file with an IP address and numerous URLs for websites related to online banking. Please see the PWS-Banker.y!hosts VIL description for more information.
Symptoms
Symptoms -
Symptoms of this infection include the presence of some or all of the information in the characteristics section (above):
- The startup hook registry key pointing to the file on disk.
- The presence of the file in the system32 folder
- The presence of a modified hosts file
Method of Infection
Method of Infection -
This trojan requires manual execution for it to run and infect the system.
As previously mentioned, the original filename doesn't have to be nbthlp.exe
so it may have a different, more enticing filename.
Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
