For Home

Virus Profile: PWS-Banker!h2e

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 11/16/2011
Date Added: 11/16/2011
Origin: N/A
Length: varies
Type: Trojan
Subtype: Password Stealer
DAT Required: 6610
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • MicroSoft : TrojanSpy:Win32/Banker.AFL
  • Symantec  : Infostealer.Bancos
  • Sophos    : Mal/Generic-L
  • f-secure  : Gen:Variant.Strictor.436

 

Indication of Infection

Presence of above mentioned activities, files and registry.

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.
   

Virus Characteristics

PWS-Banker!h2e”  is a family of data-stealing Trojans that captures banking credentials such as account numbers and passwords from computer users. It then relays the captured information to the attacker. Most PWS-Banker!h2e  variant target customers of Brazilian banks; some variants target customers of other banks.

Many PWS-Banker!h2e  variant monitor open Web-browser windows for bank names in the title bar or bank URLs in the address bar. Many variants log keystrokes to record credentials that a user enters at banking Web sites. To assist in capturing banking credentials, Banker may also replace or supplement legitimate bank Web pages with illegitimate Web pages.
 
PWS-Banker!h2e variant use various means of sending captured banking credentials to the attacker, including sending an e-mail to the attacker, uploading credentials to an attacker's FTP site, and posting credentials to an attacker's HTTP site.
 
Many variants of PWS-Banker!h2e  copy themselves to various folders on the infected computer, such as <Windows folder> and <system folder>, and also drop other files there.

Banker may also configure itself to run automatically each time Windows starts, for example by creating entries in registry keys such as HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.

The below are the commands used to get the Host name, Locale Information, Server name, Server port no and Host IP from the infected machine

  • GetComputerNameA
  • GetLocaleInfoA
  • gethostbyaddr
  • gethostbyname
  • gethostname
  • getservbyport
  • getservbyname

The below mentioned commands are used to get the keyboard layout and to capture the key events

  • GetKeyboardType
  • GetKeyboardState
  • GetKeyboardLayoutNameA
  • GetKeyboardLayoutList
  • GetKeyboardLayout
  • GetKeyState
  • GetKeyNameTextA
  • GetCapture
  • SetCapture
  • ReleaseCapture
  • UnhookWindowsHookEx
  • SetWindowsHookExA
  • CallNextHookEx
  • OnKeyPress

The below memory strings confirms that the Trojan may send information to the remote attacker

  • WSAConnect
  • WSAAsyncGetServByName
  • WSAAsyncGetServByPort
  • WSAAsyncGetProtoByName
  • WSAAsyncGetProtoByNumber
  • WSAAsyncGetHostByName
  • WSAAsyncGetHostByAddr
  • WSACancelAsyncRequest
  • WSASend
  • WSARecv
  • WSARecvDisconnect
  • WSARecvFrom
  • WSAResetEvent
  • WSASendDisconnect
  • WSASendTo
  • WSASetEvent
  • WSASocketA
  • WSASocketW
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).