McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

This Password Stealer trojans targets a Brazilian bank called Caixa Economica Federal.

Characteristics

This PWS Banker is a password stealing trojan that captures bank account information (username/password) and sends this information to the author via HTTP POST method.

It targets exclusively customers of Bank Caixa Economica Federal.

Once the user executes it, the malware application will show a window explaining that the procedure is necessary to update the Bank database.

After the user clicks on the Continue button, it will be asked to enter his internet banking username.

Once the user enters his username and clicks on Continue button, it will be prompted to enter his Internet Banking Pin .

After the user enters his Internet Banking pin, the application will ask the CPF ( a brazilian kind of SSN), full name and birth date.

After the user clicks on the Continue button, it will then be prompted to enter the Branch office number, account number and Debit Card Pin number.

The malware application will then ask for the electronic signature (which a kind of two factor authentication).

After all these information being passed to it, the PWS trojan will then prompt a screen saying "Thank you for the cooperation" and exit after the user clicks on Finalizar button.

It will then send all the info to the hacker, so it can use (and abuse) the user bank account.

Symptoms

The Trojan is running in the process list while in execution.

Once it finishes to get the user information, it will exit and will not be possible to find it on the process list anymore.

The malware will establish communitation with:

http://cat.he.net/~artofgft/[removed]/.../envicx2.php

to send the information gathered.

Method of Infection

Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

In this specific case, the user would have to click on a link from a phishy bank email to download the malware.

The link was:

www.renosclub.com/[removed]/module_security/

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

This Password Stealer trojans targets a Brazilian bank called Caixa Economica Federal.

Characteristics

Characteristics -

This PWS Banker is a password stealing trojan that captures bank account information (username/password) and sends this information to the author via HTTP POST method.

It targets exclusively customers of Bank Caixa Economica Federal.

Once the user executes it, the malware application will show a window explaining that the procedure is necessary to update the Bank database.

After the user clicks on the Continue button, it will be asked to enter his internet banking username.

Once the user enters his username and clicks on Continue button, it will be prompted to enter his Internet Banking Pin .

After the user enters his Internet Banking pin, the application will ask the CPF ( a brazilian kind of SSN), full name and birth date.

After the user clicks on the Continue button, it will then be prompted to enter the Branch office number, account number and Debit Card Pin number.

The malware application will then ask for the electronic signature (which a kind of two factor authentication).

After all these information being passed to it, the PWS trojan will then prompt a screen saying "Thank you for the cooperation" and exit after the user clicks on Finalizar button.

It will then send all the info to the hacker, so it can use (and abuse) the user bank account.

Symptoms

Symptoms -

The Trojan is running in the process list while in execution.

Once it finishes to get the user information, it will exit and will not be possible to find it on the process list anymore.

The malware will establish communitation with:

http://cat.he.net/~artofgft/[removed]/.../envicx2.php

to send the information gathered.

Method of Infection

Method of Infection -

Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

In this specific case, the user would have to click on a link from a phishy bank email to download the malware.

The link was:

www.renosclub.com/[removed]/module_security/

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A