|Detected||Apr 06 2007 08:58 GMT|
|Released||Apr 11 2007 16:53 GMT|
|Published||Apr 06 2007 08:58 GMT|
This Trojan intercepts confidential user data. It is a Windows PE EXE file, 29KB in size, packed using MEW. The unpacked file is approximately 225KB in size.
When launched, the Trojan extracts from itself the following file, which is 41,472 bytes in size:
The Trojan also registers this file in the system registry, ensuring that it will be launched each time Windows is booted on the victim machine:
The Trojan then deletes its executable file and ceases running.
The Trojan component %System%\msie.dll installs hooks for the following API functions:
InternetCrackUrl InternetConnectA HttpOpenRequestA HttpSendRequestA InternetReadFile
The Trojan uses these hooks to track user activity on the following sites:
On these sites, the Trojan will intercept information values entered in fields with the following names:
AccountID StoreMyNumber PassPhrase Turing Amount autoT1 autoT2 Id Payee_Account Login Spend Schmetterling
The Trojan also harvests Microsoft Office account passwords..
The Trojan saves harvested data to the following log files:
These files are periodically uploaded to the remote malicious user’s FTP server.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution, follow the instructions below to delete the malicious program:
%System%\msie.dll %System%\info.dat %System%\ms.dat
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs" = "%System%\msie.dll"
Trojan-Banker programs are designed to steal user account data relating to online banking systems, e-payment systems and plastic card systems. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.