Content

PWS-JT

Type
Trojan
SubType
Password
Discovery Date
08/13/2007
Length
195.083
Minimum DAT
5097 (08/14/2007)
Updated DAT
5097 (08/14/2007)
Minimum Engine
5.1.00
Description Added
08/13/2007
Description Modified
08/13/2007 6:18 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Detection was added to cover protection against a password stealing trojan originally called "ntos.exe" , having a filesize of 195.083 bytes.

The file is internally compressed with a packer.

Upon running, it runs silently, no gui messageboxes appear on the screen.

It immediately copies itself to the %windows%\%system% directory and to launch itself automatically upon system start it makes an entry in the registry, for example on a Win2000 system: 

  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\run "userinit"
    Data: C:\WINNT\System32\ntos.exe

It further on may change the registry value in the key

  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable"

The main item for the malware is to capture/retrieve data, for example it wants to retrieve data like what network uid is used by accessing the registry key

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network "UID"

It creates the directory c:\WINNT\system32\wsnpoem . Note that this directory is marked hidden.

It creates 2 files in the above directory to gather screen data to log information onto. Filesize varies, upon creation these files are pretty much empty.

  •  c:\WINNT\system32\wsnpoem\audio.dll   (filesize: 86 bytes, variable)
  •  c:\WINNT\system32\wsnpoem\video.dll   (filesize: 0 bytes, variable )

 

Symptoms

  • Presence of "ntos.exe" , having a filesize of 195.083 bytes.
  • Presence of a hidden directory called c:\WINNT\system32\wsnpoem . Note that the directory loaction may vary
  • Presence of  c:\WINNT\system32\wsnpoem\audio.dll   (filesize: 86 bytes, variable)
  • Presence of  c:\WINNT\system32\wsnpoem\video.dll   (filesize: 0 bytes, variable)

Method of Infection

  • Manual infection - there's no exploit associated with it.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

  • Detection was added to cover protection against a password stealing trojan originally called "ntos.exe" , having a filesize of 195.083 bytes.

Aliases

  • Bancos.gen3 (Norman)
  • Trojan-Spy.Win32.Bancos.aam (Ikarus)
  • Trojan-Spy.Win32.Bancos.aam (Kaspersky)
  • Trojan.DR.Cimuz.Gen.1 (Virusbuster)

Characteristics

Characteristics -

Detection was added to cover protection against a password stealing trojan originally called "ntos.exe" , having a filesize of 195.083 bytes.

The file is internally compressed with a packer.

Upon running, it runs silently, no gui messageboxes appear on the screen.

It immediately copies itself to the %windows%\%system% directory and to launch itself automatically upon system start it makes an entry in the registry, for example on a Win2000 system: 

  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\run "userinit"
    Data: C:\WINNT\System32\ntos.exe

It further on may change the registry value in the key

  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable"

The main item for the malware is to capture/retrieve data, for example it wants to retrieve data like what network uid is used by accessing the registry key

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network "UID"

It creates the directory c:\WINNT\system32\wsnpoem . Note that this directory is marked hidden.

It creates 2 files in the above directory to gather screen data to log information onto. Filesize varies, upon creation these files are pretty much empty.

  •  c:\WINNT\system32\wsnpoem\audio.dll   (filesize: 86 bytes, variable)
  •  c:\WINNT\system32\wsnpoem\video.dll   (filesize: 0 bytes, variable )

 

Symptoms

Symptoms -

  • Presence of "ntos.exe" , having a filesize of 195.083 bytes.
  • Presence of a hidden directory called c:\WINNT\system32\wsnpoem . Note that the directory loaction may vary
  • Presence of  c:\WINNT\system32\wsnpoem\audio.dll   (filesize: 86 bytes, variable)
  • Presence of  c:\WINNT\system32\wsnpoem\video.dll   (filesize: 0 bytes, variable)

Method of Infection

Method of Infection -

  • Manual infection - there's no exploit associated with it.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A