AlphaOne Technology Support Forums
Welcome, Guest. Please login or register.
January 07, 2009, 01:57:51 PM

Login with username, password and session length
Search:     Advanced search
1733 Posts in 827 Topics by 5329 Members
Latest Member: ErereGatNeT
* Home Help Search Login Register
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: PWSteal.Jginko Trojan horse 0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: PWSteal.Jginko Trojan horse  (Read 333 times)
Brad
SysAdmin
Tech Team
Hero Member
********
Offline Offline

Posts: 391



View Profile
PWSteal.Jginko Trojan horse
« on: July 09, 2005, 12:08:12 AM »
PWSteal.Jginko is a Trojan horse that steals account information for certain Japanese online banks.

When PWSteal.Jginko is executed, it performs the following actions:

   1. Creates a copy of itself as C:\system.exe.

   2. Adds the value:

      "system.exe" = "C:\system.exe"

      to the registry subkey:

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

      so that it runs every time Windows starts.

   3. Monitors active Internet Explorer windows for connection to the following Web sites:

          * resonabank.anser.or.jp
          * btm.co.jp
          * ebank.co.jp
          * japannetbank.co.jp
          * smbc.co.jp
          * ebank.co.jp
          * yu-cho.japanpost.jp
          * ufjbank.co.jp
          * mizuhobank.co.jp
          * shinseibank.co.jp
          * iy-bank.co.jp
          * shinkinbanking.com
          * shinkin-webfb-hokkaido.jp
          * shinkin-webfb.jp
          * paweb.anser.or.jp
          * caweb.anser.or.jp
          * hokugin.co.jp
          * web-fb.com
          * gunmabank.co.jp
          * 105bank.com
          * okbnetplaza.com
          * suitebank.finemax.net
          * ib-center.gr.jp
          * cyber-biz.ne.jp

   4. When a Web page that matches the characteristics of certain Japanese banking sites is opened, the Trojan scans the source code of the .html file. If the Trojan finds the following words in the .html file, it logs the data entered:

          * Pw
          * Ransu1
          * FurikomiKin
          * PASSWORD
          * PASSWD2_1
          * CHK_PASSWORD
          * password
          * recognitionPassword
          * passwordOLD
          * LOGIN_PASSWORD
          * USER_PASSWORD
          * OLD_PASSWORD
          * log_pass
          * PWD_PASSWORD
          * EWF_ENTRY_InputValiable1
          * AG00010
          * fldUserNumId
          * LgnPwd
          * i_pwd
          * BPW0020
          * i_acOneTime1
          * i_acFstCodenum
          * dat_0
          * S023
          * i_pwd
          * Pwd1
          * S007
          * WGLI020
          * Password
          * PIN
          * loginPassword
          * passwd
          * loginPwd
          * pw
          * logonPwd
          * KeiyakuNo
          * Anshu2
          * PWD_PINNUMBER
          * tb_conf
          * BPW0010

   5. Sends the logged information to the following Web site:

      [http://]park23.wakwak.com/[REMOVED]/~version1/cgi-bin/data.pl.

   6. Sends a list of URLs visited to the following Web site:

      [http://]park23.wakwak.com/[REMOVED]/~version1/cgi-bin/rireki.pl.

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.jginko.html
Logged
Mambo Hosting Resources
Pages: [1] Go Up Print 
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: PWSteal.Jginko Trojan horse « previous next »
Jump to:  

Powered by MySQL Powered by PHP AlphaOne Technology Support Forums | Powered by SMF 1.0.7.
© 2001-2005, Lewis Media. All Rights Reserved. 		Valid XHTML 1.0! Valid CSS!