Content

PWS-Banker

Type
Trojan
SubType
Password Stealer
Discovery Date
06/30/2004
Length
10,416 bytes
Minimum DAT
4354 (04/28/2004)
Updated DAT
5439 (11/19/2008)
Minimum Engine
5.1.00
Description Added
04/28/2004
Description Modified
09/09/2008 2:24 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

--- Update on September 09, 2008 ----

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://www.theregister.co.uk/2008/09/09/twitter_orkut_attack/

Upon execution, the threat launches Internet Explorer and opens the following web page:

  • http://www.youtube.com//v/[removed]2WQU

It then attempts to download multiple malwares from the following web site:

  • www.sampa[removed].kit.net

(note: the malwares have been removed from the download link at the time when the description is generated.)

----------------------------------------------

 

This is a password stealing trojan that captures keystrokes and sends notification and captured information to the author via http.

There are several variants of the trojan. The description is a general guide.

Online email and bank account information (username/password) is particularly vulnerable to this threat. The following online banking sites are targeted:

  • exhosting.biz
  • hsbc
  • banks
  • bank
  • offshore
  • casino
  • e-gold
  • paypal
  • ebay
  • banc
  • banque
  • egold
  • ikobo
  • yambo
  • keybank
  • citibank
  • fidelity
  • datek
  • schwab
  • optionalexpres
  • ameritrade
  • huntington
  • banco
  • planters
  • westpac
  • national.com.au
  • stgeorge
  • wachovia
  • wellsfargo
  • bookers
  • etrade
  • barrington
  • fleet

When run, the trojan drops a DLL into the C:\WINDOWS\SYSTEM directory. The filename is

  • lsd_f3.dll

This DLL is loaded at startup by hooking the following registry key:

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
    \MPRServices\TestService "DllName" = lsd_f3.dll

The trojan also creates a log file in C:\ directory. The following file name is used:

  • log.txt

Symptoms

Existence of files and registry keys mentioned above.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

--- Update on September 09, 2008 ----

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://www.theregister.co.uk/2008/09/09/twitter_orkut_attack/

Upon execution, the threat launches Internet Explorer and opens the following web page:

  • http://www.youtube.com//v/[removed]2WQU

It then attempts to download multiple malwares from the following web site:

  • www.sampa[removed].kit.net

(note: the malwares have been removed from the download link at the time when the description is generated.)

----------------------------------------------

 

This is a password stealing trojan that captures keystrokes and sends notification and captured information to the author via http.

There are several variants of the trojan. The description is a general guide.

Online email and bank account information (username/password) is particularly vulnerable to this threat. The following online banking sites are targeted:

  • exhosting.biz
  • hsbc
  • banks
  • bank
  • offshore
  • casino
  • e-gold
  • paypal
  • ebay
  • banc
  • banque
  • egold
  • ikobo
  • yambo
  • keybank
  • citibank
  • fidelity
  • datek
  • schwab
  • optionalexpres
  • ameritrade
  • huntington
  • banco
  • planters
  • westpac
  • national.com.au
  • stgeorge
  • wachovia
  • wellsfargo
  • bookers
  • etrade
  • barrington
  • fleet

When run, the trojan drops a DLL into the C:\WINDOWS\SYSTEM directory. The filename is

  • lsd_f3.dll

This DLL is loaded at startup by hooking the following registry key:

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
    \MPRServices\TestService "DllName" = lsd_f3.dll

The trojan also creates a log file in C:\ directory. The following file name is used:

  • log.txt

Symptoms

Symptoms -

Existence of files and registry keys mentioned above.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A