LeftNavigation
  Home  
  General Job Description  
  Specific Job Descriptions  
  Strategy  
  Operational Plan  
  Rules and Regulations  
  Operational Procedures  
  Databases  
  Active Tenders  
  Online Documents  
  RHD News  
  Search  
 
 
Virus Name:
PWS-Banker.be
Risk Assessment:
Low-Profiled
Discovery Date:
21 March 2006
Origin:
Unknown
Length:
Unknown
Type:
Varies
Sub Type:
Trojan - Password Stealer
   
Virus Characteristics:
 
-- Update March 23, 2006 --

Aliases:

TROJ_HEARSE.A (Trend Micro)
Trojan.Goldun.K (Symantec)
W32/Haxdoor.ABV (Norman)
W32/HEARSE.A!tr (Fortinet)

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.pcadvisor.co.uk/news/index.cfm?newsid=5869

--

PWS-Banker.be is a password-stealing trojan that captures bank account information and posts this confidential data onto a website based in Russia.It uses a rootkit component for hiding its presence on an infected system

Upon execution, it drops the following files into the windows system directory:

%Windir%\%SYSDIR%\zopenssl.dll
%Windir%\%SYSDIR%\\zopenssld.sys
Adds the following values to the registry to auto start itself when Windows starts.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\
CurrentVersion\Winlogon\Notify\zopenssl
"DllName" = "zopenssl.dll"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
zopenssld "DisplayName" = "OPENSSL cryptoapi"
On Win9x systems it creates the following auto start entry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
MPRServices\TestService "DllName" = "zopenssl.dll"
Attempts to create the following registry entry to add "explorer.exe" to the WinXp firewall exception list. It injects itself into explorer.exe to transmits logged accounts and passwords, thus enabling it to bypass the firewall settings.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\
List
"%Windir%\explorer.exe" = "%Windir%\explorer:*:Enabled:explorer"
Captured accounts and passwords are posted via HTTP to a web server based in Russia.

www.cataf[Removed].ru
 
Symptoms:
 
"zopenssl.dll" is the password stealing component of this trojan. It injects itself into Internet Explorer and prevents access to the following antivirus related websites:

avp.ch
avp.com
avp.ru
awaps.net
customer.symantec.com
d-eu-1f.kaspersky-labs.com
d-eu-2f.kaspersky-labs.com
d-ru-1f.kaspersky-labs.com
d-ru-2f.kaspersky-labs.com
d-us-1f.kaspersky-labs.com
dispatch.mcafee.com
download.mcafee.com
downloads-us1.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-us3.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads4.kaspersky-labs.com
engine.awaps.net
f-secure.com
ftp.avp.ch
ftp.downloads2.kaspersky-labs.com
ftp.f-secure.com
ftp.kaspersky.ru
ftp.kasperskylab.ru
ftp.sophos.com
ids.kaspersky-labs.com
kaspersky-labs.com
kaspersky.com
kaspersky.ru
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
networkassociates.com
phx.corporate-ir.net
rads.mcafee.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
updates1.kaspersky-labs.com
updates2.kaspersky-labs.com
updates3.kaspersky-labs.com
updates4.kaspersky-labs.com
updates5.kaspersky-labs.com
us.mcafee.com
virustotal.com
Accesses the following registry locations to locate cached passwords.

HKEY_CURRENT_USER\Software\RIT\The Bat!
HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
The above registry locations contain usernames and passwords in an encrypted form for the following applications:

The Bat! eMail Client
Inetcomm Server passwords
Outlook Express POP3/IMAP accounts and passwords
Password-protected sites in Internet Explorer
"zopenssld.sys " is the rootkit component of this trojan and is responsible for hiding the presence of the trojan on an infected system. The following files are hidden by this rootkit from windows explorer and task manager.

bklks.ies4
nwr7.ies4
nwr8.ies4
zopenssl.dll
zopenssld.sys
 
Method of Infection:
 
Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction.
 
Removal Instructions:
 
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
 
Windows Patch:
Windows Patch URL:
Standalone Tool:
Standalone Tool URL:
Footer