Result of AVG Scan

[Andy Walker]

David H. Lipman wrote:

>Close, but different family variant.
>
>Terry posted "PSW.Banker3.jpx" and the McAfee article was cross-referenced to
>"PSW.Banker3.IGM"
>
>.igm <> .jpx they are different variants in the same family and thus specifics such as
>Registry entries are most likely different as well.

So it is... rest of the advice is still valid, though. ;-)


Any ideas for what the igm and jpx suffixes are meant to convey?


I did find this pearl on the AVG forums (although it refers to the PSW
Generic 3 XQT variant.)

"Well.. that is probably because its part of a spyware that you had
picked up... as the name implies... its a Generic Password Stealing
type of trojan... these are so common and there are so many variants
that more info isn't available"
http://forum.grisoft.cz/freeforum/re...,backpage=,sv=

The advice rdsok gives is valid, also... :-)

[David H. Lipman]

From: "Andy Walker" <awalker@nspank.invalid>


|
| So it is... rest of the advice is still valid, though. ;-)
|
| Any ideas for what the igm and jpx suffixes are meant to convey?
|
| I did find this pearl on the AVG forums (although it refers to the PSW
| Generic 3 XQT variant.)
|
| "Well.. that is probably because its part of a spyware that you had
| picked up... as the name implies... its a Generic Password Stealing
| type of trojan... these are so common and there are so many variants
| that more info isn't available"
| http://forum.grisoft.cz/freeforum/re...,backpage=,sv=
|
| The advice rdsok gives is valid, also... :-)

The suffix .xxx maens the variant. The prefix "PSW" means a Password Stealer. The body
"Banker3" means it is a Banker Trojan. Not sure why Banker3. 3rd generation/iteration ?

Presumably the the .igm variant is OLDER than the .jpx variant.

And yes, the avice of that thread was valid including; "...are so many variants that more
info isn't available." The fact the suffix is using three digits [ .xxx ] indicates *many*
variants.

The most important concept here is that Terry was infected with a Banker family Password
Stealing Trojan so all his passwords need to be changed, his banks need to be notified and
their respective accounts closely monitored.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[Andy Walker]

David H. Lipman wrote:

>From: "Andy Walker" <awalker@nspank.invalid>
>|
>| Any ideas for what the igm and jpx suffixes are meant to convey?
>
>The suffix .xxx maens the variant. The prefix "PSW" means a Password Stealer. The body
>"Banker3" means it is a Banker Trojan. Not sure why Banker3. 3rd generation/iteration ?
>
>Presumably the the .igm variant is OLDER than the .jpx variant.

That would translate to nearly 900 variants between IGM and JPX (if
AAA=0~1, AAB=1~2)...Owch..then I fear there are plans to move to
AAAA=0~1...

I think the most salient point about these trojans is, that they feed
off of one another, constantly reinfecting systems with new variants
as long as at least *one* of them is still active.

>And yes, the avice of that thread was valid including; "...are so many variants that more
>info isn't available." The fact the suffix is using three digits [ .xxx ] indicates *many*
>variants.

There are so many un-patched/already infected/security disabled
systems out there that it makes easy pickings for malware winters.

The more active a user becomes in the defense of their own system, the
harder it is for the *first* infection to compromise the system... but
then I'm preaching to the choir here, eh? heh!

>The most important concept here is that Terry was infected with a Banker family Password
>Stealing Trojan so all his passwords need to be changed, his banks need to be notified and
>their respective accounts closely monitored.

Yes, excellent points... they should also be absolutely certain that
their computer is free from malware *before* attempting to log onto
any of their bank accounts.

Unfortunately, wiping and reinstalling has become the best method of
being sure...