Content

PWS-Banker.be

Type
Trojan
SubType
Password Stealer
Discovery Date
03/21/2006
Length
Varies
Minimum DAT
4723 (03/21/2006)
Updated DAT
4726 (03/24/2006)
Minimum Engine
5.1.00
Description Added
03/21/2006
Description Modified
03/22/2006 11:18 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update March 23, 2006 --
 The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.pcadvisor.co.uk/news/index.cfm?newsid=5869

--

PWS-Banker.be is a password-stealing trojan that captures bank account information and posts this confidential data onto a website based in Russia.It uses a rootkit component for hiding its presence on an infected system

Upon execution, it drops the following files into the windows system directory:

  • %Windir%\%SYSDIR%\zopenssl.dll
  • %Windir%\%SYSDIR%\\zopenssld.sys

Adds the following values to the registry to auto start itself when Windows starts.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\
    CurrentVersion\Winlogon\Notify\zopenssl
    "DllName" = "zopenssl.dll"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    zopenssld  "DisplayName" = "OPENSSL cryptoapi"

On Win9x systems it creates the following auto start entry:

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
    MPRServices\TestService "DllName" = "zopenssl.dll"

Attempts to create the following registry entry to add "explorer.exe" to the WinXp firewall exception list. It injects itself into explorer.exe to transmits logged accounts and passwords, thus enabling it to bypass the firewall settings.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\
    List
    "%Windir%\explorer.exe" = "%Windir%\explorer:*:Enabled:explorer"

Captured accounts and passwords are posted via HTTP to a web server based in Russia.

  • www.cataf[Removed].ru

Symptoms

"zopenssl.dll" is the password stealing component of this trojan. It injects itself into Internet Explorer and prevents access to the following antivirus related websites:

  • avp.ch
  • avp.com
  • avp.ru
  • awaps.net
  • customer.symantec.com
  • d-eu-1f.kaspersky-labs.com
  • d-eu-2f.kaspersky-labs.com
  • d-ru-1f.kaspersky-labs.com
  • d-ru-2f.kaspersky-labs.com
  • d-us-1f.kaspersky-labs.com
  • dispatch.mcafee.com
  • download.mcafee.com
  • downloads-us1.kaspersky-labs.com
  • downloads-us2.kaspersky-labs.com
  • downloads-us3.kaspersky-labs.com
  • downloads1.kaspersky-labs.com
  • downloads2.kaspersky-labs.com
  • downloads3.kaspersky-labs.com
  • downloads4.kaspersky-labs.com
  • engine.awaps.net
  • f-secure.com
  • ftp.avp.ch
  • ftp.downloads2.kaspersky-labs.com
  • ftp.f-secure.com
  • ftp.kaspersky.ru
  • ftp.kasperskylab.ru
  • ftp.sophos.com
  • ids.kaspersky-labs.com
  • kaspersky-labs.com
  • kaspersky.com
  • kaspersky.ru
  • liveupdate.symantec.com
  • liveupdate.symantecliveupdate.com
  • mast.mcafee.com
  • mcafee.com
  • my-etrust.com
  • networkassociates.com
  • phx.corporate-ir.net
  • rads.mcafee.com
  • securityresponse.symantec.com
  • service1.symantec.com
  • sophos.com
  • spd.atdmt.com
  • symantec.com
  • trendmicro.com
  • update.symantec.com
  • updates.symantec.com
  • updates1.kaspersky-labs.com
  • updates2.kaspersky-labs.com
  • updates3.kaspersky-labs.com
  • updates4.kaspersky-labs.com
  • updates5.kaspersky-labs.com
  • us.mcafee.com
  • virustotal.com

Accesses the following registry locations to locate cached passwords.

  • HKEY_CURRENT_USER\Software\RIT\The Bat!
  • HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts

The above registry locations contain usernames and passwords in an encrypted form for the following applications:

  • The Bat! eMail Client
  • Inetcomm Server passwords
  • Outlook Express POP3/IMAP accounts and passwords
  • Password-protected sites in Internet Explorer

"zopenssld.sys " is the rootkit component of this trojan and is responsible for hiding the presence of the trojan on an infected system. The following files are hidden by this rootkit from windows explorer and task manager.

  • bklks.ies4
  • nwr7.ies4
  • nwr8.ies4
  • zopenssl.dll
  • zopenssld.sys

Method of Infection

Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • TROJ_HEARSE.A (Trend Micro)
  • Trojan.Goldun.K (Symantec)
  • W32/Haxdoor.ABV (Norman)
  • W32/HEARSE.A!tr (Fortinet)

Characteristics

Characteristics -

-- Update March 23, 2006 --
 The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.pcadvisor.co.uk/news/index.cfm?newsid=5869

--

PWS-Banker.be is a password-stealing trojan that captures bank account information and posts this confidential data onto a website based in Russia.It uses a rootkit component for hiding its presence on an infected system

Upon execution, it drops the following files into the windows system directory:

  • %Windir%\%SYSDIR%\zopenssl.dll
  • %Windir%\%SYSDIR%\\zopenssld.sys

Adds the following values to the registry to auto start itself when Windows starts.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\
    CurrentVersion\Winlogon\Notify\zopenssl
    "DllName" = "zopenssl.dll"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    zopenssld  "DisplayName" = "OPENSSL cryptoapi"

On Win9x systems it creates the following auto start entry:

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
    MPRServices\TestService "DllName" = "zopenssl.dll"

Attempts to create the following registry entry to add "explorer.exe" to the WinXp firewall exception list. It injects itself into explorer.exe to transmits logged accounts and passwords, thus enabling it to bypass the firewall settings.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\
    List
    "%Windir%\explorer.exe" = "%Windir%\explorer:*:Enabled:explorer"

Captured accounts and passwords are posted via HTTP to a web server based in Russia.

  • www.cataf[Removed].ru

Symptoms

Symptoms -

"zopenssl.dll" is the password stealing component of this trojan. It injects itself into Internet Explorer and prevents access to the following antivirus related websites:

  • avp.ch
  • avp.com
  • avp.ru
  • awaps.net
  • customer.symantec.com
  • d-eu-1f.kaspersky-labs.com
  • d-eu-2f.kaspersky-labs.com
  • d-ru-1f.kaspersky-labs.com
  • d-ru-2f.kaspersky-labs.com
  • d-us-1f.kaspersky-labs.com
  • dispatch.mcafee.com
  • download.mcafee.com
  • downloads-us1.kaspersky-labs.com
  • downloads-us2.kaspersky-labs.com
  • downloads-us3.kaspersky-labs.com
  • downloads1.kaspersky-labs.com
  • downloads2.kaspersky-labs.com
  • downloads3.kaspersky-labs.com
  • downloads4.kaspersky-labs.com
  • engine.awaps.net
  • f-secure.com
  • ftp.avp.ch
  • ftp.downloads2.kaspersky-labs.com
  • ftp.f-secure.com
  • ftp.kaspersky.ru
  • ftp.kasperskylab.ru
  • ftp.sophos.com
  • ids.kaspersky-labs.com
  • kaspersky-labs.com
  • kaspersky.com
  • kaspersky.ru
  • liveupdate.symantec.com
  • liveupdate.symantecliveupdate.com
  • mast.mcafee.com
  • mcafee.com
  • my-etrust.com
  • networkassociates.com
  • phx.corporate-ir.net
  • rads.mcafee.com
  • securityresponse.symantec.com
  • service1.symantec.com
  • sophos.com
  • spd.atdmt.com
  • symantec.com
  • trendmicro.com
  • update.symantec.com
  • updates.symantec.com
  • updates1.kaspersky-labs.com
  • updates2.kaspersky-labs.com
  • updates3.kaspersky-labs.com
  • updates4.kaspersky-labs.com
  • updates5.kaspersky-labs.com
  • us.mcafee.com
  • virustotal.com

Accesses the following registry locations to locate cached passwords.

  • HKEY_CURRENT_USER\Software\RIT\The Bat!
  • HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts

The above registry locations contain usernames and passwords in an encrypted form for the following applications:

  • The Bat! eMail Client
  • Inetcomm Server passwords
  • Outlook Express POP3/IMAP accounts and passwords
  • Password-protected sites in Internet Explorer

"zopenssld.sys " is the rootkit component of this trojan and is responsible for hiding the presence of the trojan on an infected system. The following files are hidden by this rootkit from windows explorer and task manager.

  • bklks.ies4
  • nwr7.ies4
  • nwr8.ies4
  • zopenssl.dll
  • zopenssld.sys

Method of Infection

Method of Infection -

Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A