|
|
|
|
|
Posted by: Admin on Wednesday, January 04, 2006 - 04:04 AM
|
|
|
PWSteal.Bankash.G is a Trojan horse program that attempts to steal user names and passwords from the compromised computer and lowers security settings.
It is reported that the Trojan is downloaded by malformed .wmf files that utilize Microsoft Windows Graphics Rendering Engine WMF Format Unspecified Code Execution Vulnerability (As described in BID 16074).
Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Damage
Payload Trigger: n/a
Payload: Steals confidential information such as user names, passwords, credit card details, email addresses, etc.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Lowers security settings by modifying the firewall.
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: n/a
When the Trojan is executed, it performs the following actions:
Drops the following file:
%System%\ash2.dll
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Creates the following files:
%Windir%\log\[RANDOM].apps
%Windir%\log\[RANDOM].pass
%Windir%\log\[RANDOM].mail
%Windir%\log\[RANDOM].post
%Windir%\log\[RANDOM].crds
%Windir%\log\[RANDOM].form
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
Creates the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56B60F70-057F-4150-98B1-29572DF422F0}
so the .dll file is executed every time Windows Explorer starts.
Creates the following registry subkeys:
HKEY_CLASSES_ROOT\CLSID\{21E5619E-0F99-4096-BAF2-4DA3F26F691A}
HKEY_CLASSES_ROOT\CLSID\{56B60F70-057F-4150-98B1-29572DF422F0}
HKEY_CLASSES_ROOT\Interface\{35A22488-DCFE-459C-A811-CFC81687B404}
HKEY_CLASSES_ROOT\TypeLib\{DF7B63CA-0287-4FEC-AD99-598519A78E57}
to register the .dll file.
Creates the following registry subkeys:
HKEY_CLASSES_ROOT\iehelper.OnSubmitHandler
HKEY_CLASSES_ROOT\iehelper.OnSubmitHandler.1
HKEY_CLASSES_ROOT\SpyAnti.SpyAnti
HKEY_CLASSES_ROOT\SpyAnti.SpyAnti.1
Monitors alert messages from firewall applications containing the following strings:
Warning: some components changed
Warning: Components Have Changed
Are you sure you want to navigate away from this page?
Static
Microsoft Internet Explorer
Create rule for %s
Attempts to hide the above pop-up alerts and create ALLOW rules automatically.
Searches for email addresses in files with the following extensions:
.xml
.xls
.eml
.vbs
.rtf
.uin
.doc
.oft
.msg
.dbx
.adb
.wab
.tbb
.asp
.ph*
.pl*
.tx*
.*ht*
Stores harvested email addresses in %Windir%\log\[random].mail.
Collects all locally cached passwords and saves them in %Windir%\log\[random].pass.
Collects installed software lists and saves them in %Windir%\[random].apps.
Enumerate Internet Explorer Web pages and saves form information in %Windir%\[random].form.
Stores captured credit card information in %Windir%\[random].crds.
Saves HTTP POST requests in %Windir%\[random].post if the URL contains one of following strings:
safeform.com
northeast.on.ca
salesforce.com
prudential.com.hk
sammikk.com
samsunggsbn.com
sbc.com
s-central.com.au
sciamdigital.com
scicollege.org.sg
upjs.sk
eutelsat.net
searchfit.org
seatbooker.net
sebra.com
yimg.com
acadiau.ca
adultfriendfinder.com
advisor.com
authorize.net
bearshare.com
betbanking.com
bnpparibas.net
c1hrapps.com
customersvc.com
konetic.org
delias.com
deluxepass.com
directnic.com
directsex.com
earthport.com
elance.com
element5.com
elsevier
emetrix.com
e-registernow.com
europeonline.com
ezpeer.com
fredericks.com
gevalia.com
hilton.com
hostdozy.com
hotbar.com
idx.com.au
indigosp.com
infusion-studios.com
intuitcanada.com
reuters.com
kent.net
lkw-walter.com
medibank.com.au
mouse2mobile.com
mysylvan.com
nacelink.com
netbilling.com
netfirms.com
netspeed.com.au
nike.com.hk
novuslink.net
nzqa.govt.nz
oberon-media.com
onlineaccess.net
optusnet.com.au
orcon.net
ordering.co.uk
oztralia.com
register.com
safesite.com
shaw.ca
billerweb.com
sms.ac
sparkart.com
sparknotes.com
starbiz.net.sg
telusmobility.com
thewheelconnection.com
tickle.com
trekblue.com
tsn.cc
ubi.com
vandyke.com
w2express.com
mgm-mirage.com
webeweb.net
wn.com.au
securecart.net
secureordering.com
secureserver.net
imrworldwide.com
playstation.com
western-inventory.com
securewebexchange.com
securitymetrics.com
selfmgmt.com
t-mobile.co.uk
xtra.co.nz
canon-europe.com
senecac.on.ca
sephora.com
liveperson.net
ariba.com
sympatico.ca
xs4all.nl
macau.ctm.net
rogers.com
sfgov.org
cic.gc.ca
vodafone.co.uk
hku.hk
sfa.prudential.com.sg
shkcorpws5.shkp.com
ecompanystore.com
o2online.de
shopadmin.daum.net
shoppersoptimum.ca
go-fia.com
zoovy.com
shopundco.com
shutterfly.com
signup.sprint.ca
silicon-power.com
singnet.com.sg
simplyhotels.com
sims.sfu.ca
singaporeair.com
site-secure.com
esdlife.com
flextronics.com
cometsystems.com
snapfish.com
solo3.nordea.fi
soccer.com
hkuspace.org
soundclick.com
swamp.lan
spiritair.com
sportingbet.com
sportodds.com
worldgaming.net
adaptec.com
sqnet.com.sg
srp.org.sg
ains.com.au
campoints.net
ingrammicro.com
kundenserver.de
speedera.net
farlep.net
lanck.net
.sok
monster.com
ihost.com
gigaisp.net
webtrendslive.com
a-net.com
puma.com
apple.com
streamload.com
maximonline.com
look.ca
supergo.com
cablebg.net
dell
sony
inlandrevenue.gov.uk
tbihosting.com
quickbooks.com
techdata.com
telpacific.com.au
telstra.com
freedom.net
recruitsoft.com
tepore.com
theaa.com
three.com.hk
ticketmaster.com
ultrastar.com
ti.com
tirerack.com
tm.net.my
tmi-wwa.com
tdcwww.net
stanfordalumni.org
012.net
starhubshop.com.sg
datasvit.net
ssdcl.com.sg
music
iinet.net.au
iprimus.com.au
hp.com
game
towerhobbies.com
travel.com.au
travel.priceline.com
travelclub.swiss.com
travelcommunications.co.uk
trivita.com
trust1.com
trustinternational.com
yorku.ca
preschoicefinancial.com
united.intranet.ual.com
unixcore.com
uwindsor.ca
ucas.co.uk
ups.com
yesasia.com
usafis.org
uscden.net
uscitizenship.info
va-bank.com
vasa.slsp.sk
veloz.com
victoriassecret.com
videotron.com
mcafee.com
virginblue.com.au
virginmobileusa.com
vodafone
vpost.com.sg
vutbr.cz
opusit.com.sg
ibm.com
aircanada.ca
walgreens.com
watchguard.com
icq.com
ych.com
uottawa.ca
uoguelph.ca
there.com
webassign.net
comcast.net
douglas.bc.ca
carleton.ca
mcgill.ca
mcmaster.ca
queensu.ca
sheridanc.on.ca
ubc.ca
unb.ca
.ac.at
.ac.nz
.ust.hk
microsoft.com
guidehome.com
sap-ag.de
nwa.com
webzdarma.cz
intel.com
bigpond.net.au
willhill.com
.ac.uk
t-mobile.com
uwaterloo.ca
delawarenorth.com
worldwinner.com
worth1000.com
wrem.sis.yorku.ca
sierraclub.org
serviticket.com
yagma.com
yes.com.hk
.edu
yourastrologysite.com
ytv.com
.o2.co.uk
zwallet.com
loginnet.passport
Posts the log files to [http://]pheasant-farm.com/[RANDOM].
Periodically tries to update itself by downloading the following files via FTP or HTTP:
%UserProfile%\Local Settings\Temp\tmp24352.exe
%UserProfile%\Local Settings\Temp\q4h28c.exe
Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
To delete the value from the registry:
Navigate to and delete the following subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56B60F70-057F-4150-98B1-29572DF422F0}
HKEY_CLASSES_ROOT\CLSID\{21E5619E-0F99-4096-BAF2-4DA3F26F691A}
HKEY_CLASSES_ROOT\CLSID\{56B60F70-057F-4150-98B1-29572DF422F0}
HKEY_CLASSES_ROOT\Interface\{35A22488-DCFE-459C-A811-CFC81687B404}
HKEY_CLASSES_ROOT\TypeLib\{DF7B63CA-0287-4FEC-AD99-598519A78E57}
HKEY_CLASSES_ROOT\iehelper.OnSubmitHandler
HKEY_CLASSES_ROOT\iehelper.OnSubmitHandler.1
HKEY_CLASSES_ROOT\SpyAnti.SpyAnti
HKEY_CLASSES_ROOT\SpyAnti.SpyAnti.1
Exit the Registry Editor.
 
|
|
|
|
|
