McAfee > Theat Center > Virus Detail Page

Overview

The trojan is designed to gather userid/password information of online banks, keystrokes and screenshots and send to a remote site. The executable file was previously detected as Generic PWS.y trojan in 5190 DATs since December 20th, 2007 in all products.

Aliases

• Trojan-PSW.Win32.Agent.va (Kaspersky)

• Trojan.Silentbanker (Symantec)

• TSPY_AGENT.ACO (Trendmicro)

• Win32/Banker.AB (CA)

Characteristics

-- Update January 15, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.pcworld.idg.com.au/index.php/id;280071259

--

This trojan was previously detected as Generic PWS.y trojan in 5190 DATs since December 20th, 2007 in all products.

Upon execution, the trojan drops a dll file into the following filepath.

• %SystemDir%\[random characters][random digits].dll

The following registry keys are added.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 midi1″ = (dll flepath)

The trojan downloads the configuration files from the following site:

• microcbs.com

Download files are also saved into the following filepath:

• %SystemDir%\[random][random digit].dll

The trojan has the following functionalities.

• Steal the following UserID\Password accounts:
• HOTMAIL
• HTTP Mail User Name
• HTTP Mail Password
• SMTP e-mail address
• POP3 server/userName/password
• Outlook account password
• Steal Cookies
• Capture screenshots
• Record KeystrokesT

The trojan monitors the following browsers accessing the online banks defined in the configuration files.

• maxthon.exe
• acoobrowser.exe
•  iexplore.exe

The trojan intercepts the http accesses contains the following strings and attempts to replace it with html files defined in configuration files.

• AccountID
• ACTUAL_PAYMENT_OUNCES
• Amount
• autoT1
• autoT2
• ESpass
• login:
• PASS
• PassPhrase
• Payee_Account
• PAYER_ACCOUNT
• PAY_IN
• PAYEE_NAME
• PAYMENT_AMOUNT
• PAYMENT_METAL_ID
• PWD
• TAN
• USER
• USD_PER_OUNCE
  

Symptoms

• Presence of file(s) and registry key(s) as previously mentioned.
• Unexpected network connections to the mentioned site(s).

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc. Certain known variants were also known to be installed via web exploits.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

The trojan is designed to gather userid/password information of online banks, keystrokes and screenshots and send to a remote site. The executable file was previously detected as Generic PWS.y trojan in 5190 DATs since December 20th, 2007 in all products.

Aliases

• Trojan-PSW.Win32.Agent.va (Kaspersky)

• Trojan.Silentbanker (Symantec)

• TSPY_AGENT.ACO (Trendmicro)

• Win32/Banker.AB (CA)

Characteristics

Characteristics -

-- Update January 15, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.pcworld.idg.com.au/index.php/id;280071259

--

This trojan was previously detected as Generic PWS.y trojan in 5190 DATs since December 20th, 2007 in all products.

Upon execution, the trojan drops a dll file into the following filepath.

• %SystemDir%\[random characters][random digits].dll

The following registry keys are added.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 midi1″ = (dll flepath)

The trojan downloads the configuration files from the following site:

• microcbs.com

Download files are also saved into the following filepath:

• %SystemDir%\[random][random digit].dll

The trojan has the following functionalities.

• Steal the following UserID\Password accounts:
• HOTMAIL
• HTTP Mail User Name
• HTTP Mail Password
• SMTP e-mail address
• POP3 server/userName/password
• Outlook account password
• Steal Cookies
• Capture screenshots
• Record KeystrokesT

The trojan monitors the following browsers accessing the online banks defined in the configuration files.

• maxthon.exe
• acoobrowser.exe
•  iexplore.exe

The trojan intercepts the http accesses contains the following strings and attempts to replace it with html files defined in configuration files.

• AccountID
• ACTUAL_PAYMENT_OUNCES
• Amount
• autoT1
• autoT2
• ESpass
• login:
• PASS
• PassPhrase
• Payee_Account
• PAYER_ACCOUNT
• PAY_IN
• PAYEE_NAME
• PAYMENT_AMOUNT
• PAYMENT_METAL_ID
• PWD
• TAN
• USER
• USD_PER_OUNCE
  

Symptoms

Symptoms -

• Presence of file(s) and registry key(s) as previously mentioned.
• Unexpected network connections to the mentioned site(s).

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc. Certain known variants were also known to be installed via web exploits.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A