Hi all,
Can any one advise if the following AVG result is a high risk item please
for friend.
Showing as: Trojan Horse PSW.Banker3.jpx
The pc has not been online since the previous AVG scan a couple of days ago.
Any advice would be really appreciated.
Terry :O)
From: "Terry C" <tcasson@blueyonder.co.uk>
| Hi all,
|
| Can any one advise if the following AVG result is a high risk item please
| for friend.
|
| Showing as: Trojan Horse PSW.Banker3.jpx
|
| The pc has not been online since the previous AVG scan a couple of days ago.
| Any advice would be really appreciated.
|
| Terry :O)
|
What is the fully qualified name and path to the file(s) deemed infected with this password
stealing Trojan ?
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:ZOsZh.3005$zE.523@trnddc03...
> From: "Terry C" <tcasson@blueyonder.co.uk>
>
> | Hi all,
> |
> | Can any one advise if the following AVG result is a high risk item
> please
> | for friend.
> |
> | Showing as: Trojan Horse PSW.Banker3.jpx
> |
> | The pc has not been online since the previous AVG scan a couple of days
> ago.
> | Any advice would be really appreciated.
> |
> | Terry :O)
> |
>
> What is the fully qualified name and path to the file(s) deemed infected
> with this password
> stealing Trojan ?
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
Hi David,
The path was as follows:
c:\Documents and Settings\****\My Documents\Laptop\Ext HD\PSP Extras
and it turns out it was a Part01 of a .rar file of a program for Paint Shop
Pro. The executable part.
She has just browsed down to the particular folder and that part01 is now
missing, presumably after being deleted by AVG. What she thought odd was
that the folder had been put onto her laptop approx 2.5 years ago, and onto
her pc three months ago, and has only shown up now, but I guess it's the
latest definitions that have come up trumps. The folder has basically sat
there all this time, but at no point has the file been extracted.
Thanks again,
Terry :O)
From: "Terry C" <tcasson@blueyonder.co.uk>
| Hi David,
|
| The path was as follows:
|
| c:\Documents and Settings\****\My Documents\Laptop\Ext HD\PSP Extras
|
| and it turns out it was a Part01 of a .rar file of a program for Paint Shop
| Pro. The executable part.
|
| She has just browsed down to the particular folder and that part01 is now
| missing, presumably after being deleted by AVG. What she thought odd was
| that the folder had been put onto her laptop approx 2.5 years ago, and onto
| her pc three months ago, and has only shown up now, but I guess it's the
| latest definitions that have come up trumps. The folder has basically sat
| there all this time, but at no point has the file been extracted.
|
| Thanks again,
|
| Terry :O)
|
Please identify the EXACT file in the RAR file and extract it.
Please submit a sample of the extracted file to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.
You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN
When you get the report, please post back the exact results.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:8ENZh.2339$KP1.777@trnddc02...
> From: "Terry C" <tcasson@blueyonder.co.uk>
>
>
> | Hi David,
> |
> | The path was as follows:
> |
> | c:\Documents and Settings\****\My Documents\Laptop\Ext HD\PSP Extras
> |
> | and it turns out it was a Part01 of a .rar file of a program for Paint
> Shop
> | Pro. The executable part.
> |
> | She has just browsed down to the particular folder and that part01 is
> now
> | missing, presumably after being deleted by AVG. What she thought odd was
> | that the folder had been put onto her laptop approx 2.5 years ago, and
> onto
> | her pc three months ago, and has only shown up now, but I guess it's the
> | latest definitions that have come up trumps. The folder has basically
> sat
> | there all this time, but at no point has the file been extracted.
> |
> | Thanks again,
> |
> | Terry :O)
> |
>
> Please identify the EXACT file in the RAR file and extract it.
>
>
> Please submit a sample of the extracted file to Virus Total --
> http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against many different AV vendor's
> scanners.
> That will give you an idea what it is and who recognizes it. In addition,
> unless told
> otherwise, Virus Total will provide the sample to all participating
> vendors.
>
> You can also submit a suspect, one at a time, via the following email
> URL...
> mailto:scan@virustotal.com?subject=SCAN
>
> When you get the report, please post back the exact results.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
Hi David,
Thanks again for your reply. The file was named Splat\Splat~Full~Set
up.Part01.exe which was deleted automatically at the end of the AVG scan.
It was the first of 12 rar file parts, but seeing as the rest would be no
good without the launcher (Part01) to rebuild the whole file again, she has
deleted the folder. So am unable to extract :O(
Splat is a plug-in for Jasc's Paint Shop Pro.
She has, however, got a copy of the folder on a dvd-r, and although she is
loathe to copy it back onto her pc, she was going to see if she can browse
to it on the dvd and try send to the virustotal.com site you listed above.
Highest regards,
Terry :O)
Terry C wrote:
>Hi all,
>
>Can any one advise if the following AVG result is a high risk item please
>for friend.
>
>Showing as: Trojan Horse PSW.Banker3.jpx
>
>The pc has not been online since the previous AVG scan a couple of days ago.
>Any advice would be really appreciated.
>
>Terry :O)
You didn't say whether or not AVG removed/quarentined the trojan? If
neither, then you will need to remove it manually.
Here's what McAfee says about it:
Characteristics -
When executed, this Trojan drops a copy of itself in the %System%
folder as "torm.dll".
The dropped dll file installs itself as a Browser Helper Object (BHO)
and creates the following registry entry:
HKEY_CLASSES_ROOT\CLSID\{60FD4F58-4748-48f6-B661-5FCE71B0D907} The
Trojan then steals the user's login credentials, when the following
banking related websites are accessed:
akbank.com (Turkish Bank) yapikredi.com.tr (Turkish Bank)
bankofamerica.comThis captured information, is then transmitted back
to the following website using "HTTP POST" method:
fcrrent.info (Attackers site)
http://vil.nai.com/vil/content/v_142103.htm
If you go to the link I provided, you will also find that this trojan
is NOT self replicating and was either placed on the system by another
trojan or loaded by a user through a social engineering trick. Either
way, there appears to be a serious lack of security on your "friends"
pc.
You should run a thorough scan using the latest AVG updates. You
should also run "Complete" scans with Spybot Search & Destroy,
Adaware, and I also recommend SuperAntiSpyware. Once you are
reasonable certain the PC is clean, your friend should change all
his/her online passwords as a precaution.
From: "Andy Walker" <awalker@nspank.invalid>
|
| You didn't say whether or not AVG removed/quarentined the trojan? If
| neither, then you will need to remove it manually.
|
| Here's what McAfee says about it:
|
| Characteristics -
|
| When executed, this Trojan drops a copy of itself in the %System%
| folder as "torm.dll".
|
| The dropped dll file installs itself as a Browser Helper Object (BHO)
| and creates the following registry entry:
|
| HKEY_CLASSES_ROOT\CLSID\{60FD4F58-4748-48f6-B661-5FCE71B0D907} The
| Trojan then steals the user's login credentials, when the following
| banking related websites are accessed:
|
| akbank.com (Turkish Bank) yapikredi.com.tr (Turkish Bank)
| bankofamerica.comThis captured information, is then transmitted back
| to the following website using "HTTP POST" method:
|
| fcrrent.info (Attackers site)
| http://vil.nai.com/vil/content/v_142103.htm
|
| If you go to the link I provided, you will also find that this trojan
| is NOT self replicating and was either placed on the system by another
| trojan or loaded by a user through a social engineering trick. Either
| way, there appears to be a serious lack of security on your "friends"
| pc.
|
| You should run a thorough scan using the latest AVG updates. You
| should also run "Complete" scans with Spybot Search & Destroy,
| Adaware, and I also recommend SuperAntiSpyware. Once you are
| reasonable certain the PC is clean, your friend should change all
| his/her online passwords as a precaution.
Close, but different family variant.
Terry posted "PSW.Banker3.jpx" and the McAfee article was cross-referenced to
"PSW.Banker3.IGM"
..igm <> .jpx they are different variants in the same family and thus specifics such as
Registry entries are most likely different as well.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
David H. Lipman wrote:
>Close, but different family variant.
>
>Terry posted "PSW.Banker3.jpx" and the McAfee article was cross-referenced to
>"PSW.Banker3.IGM"
>
>.igm <> .jpx they are different variants in the same family and thus specifics such as
>Registry entries are most likely different as well.
So it is... rest of the advice is still valid, though. ;-)
Any ideas for what the igm and jpx suffixes are meant to convey?
I did find this pearl on the AVG forums (although it refers to the PSW
Generic 3 XQT variant.)
"Well.. that is probably because its part of a spyware that you had
picked up... as the name implies... its a Generic Password Stealing
type of trojan... these are so common and there are so many variants
that more info isn't available"
http://forum.grisoft.cz/freeforum/re...,backpage=,sv=
The advice rdsok gives is valid, also... :-)
From: "Andy Walker" <awalker@nspank.invalid>
|
| So it is... rest of the advice is still valid, though. ;-)
|
| Any ideas for what the igm and jpx suffixes are meant to convey?
|
| I did find this pearl on the AVG forums (although it refers to the PSW
| Generic 3 XQT variant.)
|
| "Well.. that is probably because its part of a spyware that you had
| picked up... as the name implies... its a Generic Password Stealing
| type of trojan... these are so common and there are so many variants
| that more info isn't available"
| http://forum.grisoft.cz/freeforum/re...,backpage=,sv=
|
| The advice rdsok gives is valid, also... :-)
The suffix .xxx maens the variant. The prefix "PSW" means a Password Stealer. The body
"Banker3" means it is a Banker Trojan. Not sure why Banker3. 3rd generation/iteration ?
Presumably the the .igm variant is OLDER than the .jpx variant.
And yes, the avice of that thread was valid including; "...are so many variants that more
info isn't available." The fact the suffix is using three digits [ .xxx ] indicates *many*
variants.
The most important concept here is that Terry was infected with a Banker family Password
Stealing Trojan so all his passwords need to be changed, his banks need to be notified and
their respective accounts closely monitored.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
David H. Lipman wrote:
>From: "Andy Walker" <awalker@nspank.invalid>
>|
>| Any ideas for what the igm and jpx suffixes are meant to convey?
>
>The suffix .xxx maens the variant. The prefix "PSW" means a Password Stealer. The body
>"Banker3" means it is a Banker Trojan. Not sure why Banker3. 3rd generation/iteration ?
>
>Presumably the the .igm variant is OLDER than the .jpx variant.
That would translate to nearly 900 variants between IGM and JPX (if
AAA=0~1, AAB=1~2)...Owch..then I fear there are plans to move to
AAAA=0~1...
I think the most salient point about these trojans is, that they feed
off of one another, constantly reinfecting systems with new variants
as long as at least *one* of them is still active.
>And yes, the avice of that thread was valid including; "...are so many variants that more
>info isn't available." The fact the suffix is using three digits [ .xxx ] indicates *many*
>variants.
There are so many un-patched/already infected/security disabled
systems out there that it makes easy pickings for malware winters.
The more active a user becomes in the defense of their own system, the
harder it is for the *first* infection to compromise the system... but
then I'm preaching to the choir here, eh? heh!
>The most important concept here is that Terry was infected with a Banker family Password
>Stealing Trojan so all his passwords need to be changed, his banks need to be notified and
>their respective accounts closely monitored.
Yes, excellent points... they should also be absolutely certain that
their computer is free from malware *before* attempting to log onto
any of their bank accounts.
Unfortunately, wiping and reinstalling has become the best method of
being sure...
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote