McAfee > Theat Center > Virus Detail Page

Overview

-- Update June 20, 2006 --

Risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://money.cnn.com/2006/06/19/technology/google_orkut.reut/

--

This detection is for a password stealing trojan, which apart from capturing bank account information, also attempts to steal a user’s login credentials for Orkut, which is an online community.

Aliases

• Trojan-Spy.Win32.Banker.bkz - Kaspersky

• Trojan.Banker.Delf.69B45B06 - Bit Defender

Characteristics

When executed, PWS-Banker!1d2e drops the following files:

• %Windir%\%sysdir%\logo1.jpg (dll file with jpeg extension)
• %Windir%\Cpu.log (logfile containing infected machines hardware details)

Note: The Trojan uses the file extension ”.jpg” to mislead the user into believing that it’s a harmless picture file

The following registry entries are created:

• Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\
  Explorer\Browser Helper Objects\{FCADDC14-BD46-408A-9842-
  CDBE1C6D37EB}
  Data: %windir%\%sysdir%\logo1.jpg

Symptoms

PWS-Banker!1d2e uses Internet Explorer to load itself as a BHO (Browser Helper Object).

When a user tries to open Internet explorer for the first time, after being infected, a bogus message box is displayed about insufficient memory as shown below:

The user is then eventually redirected to the login page of orkut.com

Once logged in, apart from stealing the users login credentials, this malware posts an entry in the users’s scrapbook (similar to guestbook) as shown below:

The URL in the scrap entry, points to a executable file hosted on a compromised website. The executable is a downloader which downloads this password stealer.

Method of Infection

• Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial
• Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems
• Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update June 20, 2006 --

Risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://money.cnn.com/2006/06/19/technology/google_orkut.reut/

--

This detection is for a password stealing trojan, which apart from capturing bank account information, also attempts to steal a user’s login credentials for Orkut, which is an online community.

Aliases

• Trojan-Spy.Win32.Banker.bkz - Kaspersky

• Trojan.Banker.Delf.69B45B06 - Bit Defender

Characteristics

Characteristics -

When executed, PWS-Banker!1d2e drops the following files:

• %Windir%\%sysdir%\logo1.jpg (dll file with jpeg extension)
• %Windir%\Cpu.log (logfile containing infected machines hardware details)

Note: The Trojan uses the file extension ”.jpg” to mislead the user into believing that it’s a harmless picture file

The following registry entries are created:

• Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\
  Explorer\Browser Helper Objects\{FCADDC14-BD46-408A-9842-
  CDBE1C6D37EB}
  Data: %windir%\%sysdir%\logo1.jpg

Symptoms

Symptoms -

PWS-Banker!1d2e uses Internet Explorer to load itself as a BHO (Browser Helper Object).

When a user tries to open Internet explorer for the first time, after being infected, a bogus message box is displayed about insufficient memory as shown below:

The user is then eventually redirected to the login page of orkut.com

Once logged in, apart from stealing the users login credentials, this malware posts an entry in the users’s scrapbook (similar to guestbook) as shown below:

The URL in the scrap entry, points to a executable file hosted on a compromised website. The executable is a downloader which downloads this password stealer.

Method of Infection

Method of Infection -

• Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial
• Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems
• Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A