McAfee > Theat Center > Virus Detail Page

Overview

This detection is for a Password Stealing Trojan dropper, which apart from dropping PWS-Banker.gen.bt may also drop other password stealing trojans.

The characteristics of this Trojan with regards to file names and folders created will differ depending on the way in which the attacker had configured it. Hence, this is a general description.

Characteristics

When this Trojan is executed, it drops the following two files:

• %System%\Helper.xml
• %System%\torm.dll (Detected as PWS-Banker.gen.bt)

Note:

• %System% is a variable location and refers to the windows system directory
• This Trojan by itself doesn’t create any startup registry entries, and hence doesn’t execute on system startup
  

Symptoms

Presence of files mentioned earlier is a good symptom of being infected by this Trojan.

Method of Infection

This Trojan could be downloaded by JS/Exploit-BO.gen. It does not self-replicate.
It could spread manually, however, under the premise that the executable is something beneficial.

The Trojan may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This detection is for a Password Stealing Trojan dropper, which apart from dropping PWS-Banker.gen.bt may also drop other password stealing trojans.

The characteristics of this Trojan with regards to file names and folders created will differ depending on the way in which the attacker had configured it. Hence, this is a general description.

Characteristics

Characteristics -

When this Trojan is executed, it drops the following two files:

• %System%\Helper.xml
• %System%\torm.dll (Detected as PWS-Banker.gen.bt)

Note:

• %System% is a variable location and refers to the windows system directory
• This Trojan by itself doesn’t create any startup registry entries, and hence doesn’t execute on system startup
  

Symptoms

Symptoms -

Presence of files mentioned earlier is a good symptom of being infected by this Trojan.

Method of Infection

Method of Infection -

This Trojan could be downloaded by JS/Exploit-BO.gen. It does not self-replicate.
It could spread manually, however, under the premise that the executable is something beneficial.

The Trojan may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A