Content

PWS-Banker!9D8E8ABB

Type
Trojan
SubType
Password
Discovery Date
07/16/2008
Length
220672
Minimum DAT
5339 (07/15/2008)
Updated DAT
5339 (07/15/2008)
Minimum Engine
5.2.00
Description Added
07/16/2008
Description Modified
07/16/2008 5:35 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

File PropertyProperty Value
File NameUnavailable
McAfee DetectionPWS-Banker
Length220,672 bytes
CRC329D8E8ABB
MD55041681769851EC03A0C037AF2D9253D
SHA187CDB85DB4BC4CC4E74C5D943FE94C95B72332E6

Other Common Detection Aliases

Company NameDetection Name
AVG (GriSoft)downloader.banload.ure
Normanw32/banload.afyn
SymantecDownloader
Trend MicroTROJ_DLOADE.KPO

Avert® Labs has observed the following system activities:

ActivityRisk Level
Modifies Memory of Other Processes
High
Enumerates open windows
Low
Writes Executable in the Windows Folder
Low

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files have been added to the system:

  • %WINDIR%\exe.exe
    • %WINDIR%\sdfk.exe

        • The following registry elements have been changed:

      • HKEY_CURRENT_USER\sessioninformation\
        • programcount = 2
        • programcount = 3

        • The applications created the following network connection(s):

      • youtubew.land.ru port (80) Protocol (http)
        • hxxp://youtubew.land.ru /************

        • Symptoms

        This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

        Method of Infection

        Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

        Removal

        AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

        Additional Windows ME/XP removal considerations

        Variants

        Variants

          N/A

        All Information

        Overview -

        This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

        Characteristics

        Characteristics -

        File PropertyProperty Value
        File NameUnavailable
        McAfee DetectionPWS-Banker
        Length220,672 bytes
        CRC329D8E8ABB
        MD55041681769851EC03A0C037AF2D9253D
        SHA187CDB85DB4BC4CC4E74C5D943FE94C95B72332E6

        Other Common Detection Aliases

        Company NameDetection Name
        AVG (GriSoft)downloader.banload.ure
        Normanw32/banload.afyn
        SymantecDownloader
        Trend MicroTROJ_DLOADE.KPO

        Avert® Labs has observed the following system activities:

        ActivityRisk Level
        Modifies Memory of Other Processes
        		High
        Enumerates open windows
        		Low
        Writes Executable in the Windows Folder
        		Low

        System Changes

        These are general defaults for typical path variables. (Although they may differ, these examples are common.):
        %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
        %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
        %ProgramFiles% = \Program Files

        The following files have been added to the system:

      • %WINDIR%\exe.exe
        • %WINDIR%\sdfk.exe

            • The following registry elements have been changed:

          • HKEY_CURRENT_USER\sessioninformation\
            • programcount = 2
            • programcount = 3

            • The applications created the following network connection(s):

          • youtubew.land.ru port (80) Protocol (http)
            • hxxp://youtubew.land.ru /************

            • Symptoms

            Symptoms -

            This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

            Method of Infection

            Method of Infection -

            Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

            Removal -

            Removal -

            AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

            Additional Windows ME/XP removal considerations

            Variants

            Variants -

              N/A