McAfee > Theat Center > Virus Detail Page

Overview

This detection is for a Password Stealing Trojan, which maybe dropped by PWS-Banker.gen.bq.

The characteristics of this Trojan with regards to file names, and folders created will differ depending on the way in which the attacker had configured it. Hence, this is a general description.

Aliases:

PSW.Banker3.IGM (AVG Grisoft)
Trojan-Spy.Win32.Banker.cnq (Kaspersky)
Trojan.Spy.Banker.ALO (Bit Defender)

Characteristics

When executed, this Trojan drops a copy of itself in the %System% folder as "torm.dll".

The dropped dll file installs itself as a Browser Helper Object (BHO) and creates the following registry entry:

• HKEY_CLASSES_ROOT\CLSID\{60FD4F58-4748-48f6-B661-5FCE71B0D907}

The Trojan then steals the user's login credentials, when the following banking related websites are accessed:

• akbank.com (Turkish Bank)
• yapikredi.com.tr (Turkish Bank)
• bankofamerica.com

This captured information, is then transmitted back to the following website using "HTTP POST" method:

• fcrrent.info (Attackers site)

Symptoms

Presence of files and registry entries mentioned

Method of Infection

This Trojan could be dropped by PWS-Banker.gen.bq. It does not self-replicate.
It could spread manually, however, under the premise that the executable is something beneficial.

The Trojan may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This detection is for a Password Stealing Trojan, which maybe dropped by PWS-Banker.gen.bq.

The characteristics of this Trojan with regards to file names, and folders created will differ depending on the way in which the attacker had configured it. Hence, this is a general description.

Aliases:

PSW.Banker3.IGM (AVG Grisoft)
Trojan-Spy.Win32.Banker.cnq (Kaspersky)
Trojan.Spy.Banker.ALO (Bit Defender)

Characteristics

Characteristics -

When executed, this Trojan drops a copy of itself in the %System% folder as "torm.dll".

The dropped dll file installs itself as a Browser Helper Object (BHO) and creates the following registry entry:

• HKEY_CLASSES_ROOT\CLSID\{60FD4F58-4748-48f6-B661-5FCE71B0D907}

The Trojan then steals the user's login credentials, when the following banking related websites are accessed:

• akbank.com (Turkish Bank)
• yapikredi.com.tr (Turkish Bank)
• bankofamerica.com

This captured information, is then transmitted back to the following website using "HTTP POST" method:

• fcrrent.info (Attackers site)

Symptoms

Symptoms -

Presence of files and registry entries mentioned

Method of Infection

Method of Infection -

This Trojan could be dropped by PWS-Banker.gen.bq. It does not self-replicate.
It could spread manually, however, under the premise that the executable is something beneficial.

The Trojan may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A