PWS-Banker.cs

--- Update on September 11, 2008 ----

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://www.theregister.co.uk/2008/09/09/obama_scandal_malware_ruse/

This detection is for a password stealing trojan which specifically looks to steal bank password related information.

Typically, this trojan spreads as a result of user clicking links in spam emails which lead to malicious binaries. Recently, there have been spam emails misleading the user into believing that their link points to video clips containing explicit videos of presidential candidate Barack Obama or the spam email may purport to be a link to some tax forms. These are obviously fake emails and do not present the content that they claim to lead to. They infact, lead to malware executables which display fake content for exmaple play some video clip or diaplay an image, and in the background install malware to perform malicious activities. Following is an image showing how icons of these executables may look like.

On execution, PWS-Banker.cs trojan drops a password stealing dll file in %SystemDir%. Typically, the name of this dropped dll file is siemens32.dll. This dll is detected as PWS-Banker.cr trojan.

PWS-Banker.cs then registers the dll as a Browser Helper Object (BHO) by creating the following registry entires:

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47D92EB6-E52C-4cda-92A6-2369963F4913}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{47D92EB6-E52C-4cda-92A6-2369963F4913}

The trojan also creates the following registry entries:

• HKEY_LOCAL_MACHINE\SOFTWARE\MRSoft
• HKEY_LOCAL_MACHINE\SOFTWARE\MRSoft\P
•  HKEY_LOCAL_MACHINE\SOFTWARE\MRSoft\1

The trojan looks to steal bank password and other sensitive data when browser visits the following websites:

• finanzportal.fiducia.de
• citibank.de
• netteller
• osmp.ru
• cortalconsors.de
• www3.netbank.commbank.com.au

The trojan also looks to gather more passwords from stored auto-complete password data, passwords related to email accounts etc.

The stolen information may be uploaded to :

• medved-hotel.com/berlo[REMOVED]
• bigstable.net/mail[REMOVED]

The trojan may use the following file names for its configuration data and to store the information gathered:

• alog.txt
• di1.gif
• dr1.gif
• cookie1.dat
• rc.dat
• ps1.dat
• te.dat
• bb1.dat
• cs.dat
• boa1.dat
• sfl.txt

The trojan dll also has capabilities to open a backdoor (HTTP) on the compromised machine and allow a remote attacher to issue commands such as

• Download and execute files
• Modify host file
• Delete cookies
• Reboot the computer
• Uninstall the trojan

• Presence of files and registry entries mentioned
• Network activity with servers mentioned above

This trojans typically spread by users clicking links in spam emails which lead to malicious binaries.

Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction.

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.