PWSteal.Bankash.F

[Brad]

PWSteal.Bankash.F is a Trojan horse program that attempts to steal user names and passwords.

When PWSteal.Bankash.F is executed, it performs the following actions:

   1. Drops the following file:

      %Windir%\rfa.dll

      Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

   2. Creates the following files:

          * %Windir%\html.log
          * %Windir%\email.log
          * %Windir%\pass.log
          * %Windir%\req.log

   3. Attempts to create the following registry subkeys to register the .dll file:

      HKEY_CLASS_ROOT\CLSID\{811ABD55-9D94-4892-AB46-11D7DA29B8AE}
      HKEY_CLASS_ROOT\TypeLib\{A49460C9-D134-4C21-BF35-EDD17D477DC8}
      HKEY_CLASS_ROOT\Interface\{5D463D75-B21F-4D6A-AF92-CC0EC2CBF25F}
      KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
      \{811ABD55-9D94-4892-AB46-11D7DA29B8AE}

   4. Creates the following registry subkeys:

      HKEY_CLASS_ROOT\RFA.RFA
      HKEY_CLASS_ROOT\RFA.RFA.1

   5. Monitors alert messages from firewall applications containing the following strings:

          * Warning: some components changed
          * Warning: Components Have ChangedAre you sure you want to navigate away from this page?
          * Static
          * Microsoft Internet Explorer
          * Create rule for %s

   6. Attempts to hide these pop-up alerts and create ALLOW rules automatically.

   7. Searches for email addresses in files with the following extensions:

          * .xml
          * .xls
          * .eml
          * .vbs
          * .rtf
          * .uin
          * .doc
          * .oft
          * .msg
          * .dbx
          * .adb
          * .wab
          * .tbb
          * .asp
          * .ph*
          * .pl*
          * .tx*
          * .*ht*

   8. Stores harvested email addresses in %Windir%\email.log.

   9. Attempts to collect all locally cached passwords and saves them in %Windir%\pass.log.

  10. Saves captured keystrokes in %Windir%\html.log.

  11. Saves HTTP GET requests in %Windir%\req.log.

  12. Periodically tries to update itself by downloading the following files via FTP or HTTP:

          * %UserProfile%\Local Settings\Temp\tmp1324.exe
          * %Windir%\t593.exe

            Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.bankash.f.html

To delete the value from the registry   1. Click Start > Run.
   2. Type regedit
   3. Click OK.
   4. Navigate to and delete the following subkeys:

      HKEY_CLASS_ROOT\RFA.RFA
      HKEY_CLASS_ROOT\RFA.RFA.1

   5. Navigate to and delete the following subkeys, if present:

      HKEY_CLASS_ROOT\CLSID\{811ABD55-9D94-4892-AB46-11D7DA29B8AE}
      HKEY_CLASS_ROOT\TypeLib\{A49460C9-D134-4C21-BF35-EDD17D477DC8}
      HKEY_CLASS_ROOT\Interface\{5D463D75-B21F-4D6A-AF92-CC0EC2CBF25F}
      KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
      \{811ABD55-9D94-4892-AB46-11D7DA29B8AE}

   6. Exit the Registry Editor.