Troj/BankAsh-A is a banker and password stealing Trojan.
Troj/BankAsh-A will spy on a user's internet access. When certain banking and finance websites are accessed, the Trojan can display a fake login page or log keyboard presses in order to steal username and password information. Targeted banks include the following:
Barclays, Cahoot, Halifax, HSBC, Lloyds TSB, Nationwide, NatWest, Smile
The Trojan can also steal email login details and passwords from the protected store. Periodically, Troj/BankAsh-A will send the stolen details to a remote FTP site.
Troj/BankAsh-A will drop a DLL named ASH.DLL to the Windows system folder. This file is also detected as Troj/BankAsh-A. The Trojan will then register the DLL. Registry entries will be created under the following branches:
HKCR\CLSID\(C6176B04-8896-4446-9939-E00EE94C420F)
HKCR\AntiSpy.AntiSpy
HKCR\AntiSpy.AntiSpy.1
The DLL will register itself as an Interface, named "IIEHlprObj" and as a Type Library named "AS 0.96 Type Library". The following registry branches will be created:
HKCR\Interface\(17A45F93-AEC8-440B-AC33-1BA9CC3192AC)
HKCR\TypeLib\(D941DA88-1DAA-4ED2-8946-ABABCF2A4C3F)
Troj/BankAsh-A will modify Internet Explorer's Start page by setting the following registry entries:
HKCU\Software\Microsoft\Internet Explorer\Main
Start Page
about:blank
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main
Start Page
about:blank
Troj/BankAsh-A will attempt to disable or kill the Microsoft AntiSpyware application. The Trojan will delete the following registry entry, if it exists:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gcasServ
The Trojan will also attempt to terminate the following Microsoft AntiSpyware related processes:
GCASCLEANER
GCASDTSERV
GCASINSTALLHELPER
GCASNOTICE
GCASSERV
GCASSERVALERT
GCASSWUPDATER
GCIPTOHOSTQUEUE
GIANTANTISPYWAREMAIN
GIANTANTISPYWAREUPDATER
Troj/BankAsh-A will try to suppress warning messages that Microsoft AntiSpyware may display and will delete all files within the folder named "C:\Program Files\Microsoft AntiSpyware".
Troj/BankAsh-A may attempt to deny access to a number of websites by modifying the HOSTS file found in the Windows folder or the "%SYSTEM%\drivers\etc" folder.
Troj/BankAsh-A may download and run updates of itself.
Troj/BankAsh-A will attempt to unregister and delete a DLL named IEHELPER.DLL from the Windows system folder.