Troj/BankAsh-E

Category: Viruses and Spyware
Type: Trojan
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/BankAsh-E is a password stealing Trojan for the Windows platform.

The Trojan drops a helper file to the Windows system folder as ash.dll and then registers the DLL has a browser helper object (BHO). The DLL file is then loaded each time Internet Explorer is run. Several registry entries are created under:
HKCR\CLSID\(32E9E0E2-02C7-4418-8E3B-137A21088799)

The Trojan harvests information from the Windows Protected Storage areas, cached passwords and data entered into web forms. The collected information is sent to a remote user via FTP.

Troj/BankAsh-E monitors Internet Explorer sessions for visits to URLs containing the following:

.ac.at
.ac.nz
.ac.uk
.edu
.o2.co.uk
.ust.hk
012.net
a-net.com
acadiau.ca
adaptec.com
adultfriendfinder.com
advisor.com
ains.com.au
aircanada.ca
apple.com
ariba.com
authorize.net
ba-ca.com
banking.bawag.com
bearshare.com
betbanking.com
bigpond.net.au
billerweb.com
bnpparibas.net
c1hrapps.com
cablebg.net
campoints.net
canon-europe.com
carleton.ca
cic.gc.ca
cipehb14.cdg.citibank.de
comcast.net
cometsystems.com
customersvc.com
datasvit.net
delawarenorth.com
delias.com
dell
deluxepass.com
directnic.com
directsex.com
douglas.bc.ca
e-registernow.com
earthport.com
ebankas.vb.lt
ebay
ecompanystore.com
elance.com
element5.com
elsevieremetrix.com
esdlife.com
europeonline.com
eutelsat.net
ezpeer.com
farlep.net
flextronics.com
fredericks.com
freedom.net
game
gevalia.com
gigaisp.net
go-fia.com
guidehome.com
help.lloydstsb.com
hilton.com
hku.hk
hkuspace.org
hostdozy.com
hotbar.com
hp.com
ibank.barclays.co.uk/fp/1_2h/online/1,,logon,00.html
ibank.barclays.co.uk/fp/1_2h/online/1,31705,,00.html
ibank.cahoot.com
ibank.cahoot.com/Aquarius/web/en/core_banking/log_in/frameset_top_log_in.html
ibank.cahoot.com/servlet/com.aquarius.security.authentication.servlet.LogonServlet
ibm.com
icq.com
idx.com.au
ihost.com
iinet.net.au
imrworldwide.com
indigosp.com
infusion-studios.com
ingrammicro.com
inlandrevenue.gov.uk
intel.com
intuitcanada.com
iprimus.com.au
kent.net
konetic.org
kundenserver.de
lanck.net.sok
liveperson.net
lkw-walter.com
look.ca
macau.ctm.net
maximonline.com
mcafee.com
mcgill.ca
mcmaster.ca
medibank.com.au
meine.deutsche-bank.de
mgm-mirage.com
microsoft.com
monster.com
mouse2mobile.com
music
myonlineaccounts2.abbeynational.co.uk/CentralLogonWeb/Logon?action=logon
myonlineaccounts2.abbeynational.co.uk/CentralLogonWeb/MyPersonalHomepage
mysylvan.com
nacelink.com
nai.com
netbilling.com
netfirms.com
netspeed.com.au
nike.com.hk
northeast.on.ca
novuslink.net
nwa.com
nzqa.govt.nz
o2online.de
oberon-media.com
olb2.nationet.com
olb2.nationet.com/default2.asp
olb2.nationet.com/MyAccounts/frame_MyAccounts_WP2.asp
onba.zkb.ch
online.lloydstsb.co.uk
online.lloydstsb.co.uk/logon.ibc
onlineaccess.net
optusnet.com.au
opusit.com.sg
orcon.net
ordering.co.uk
oztralia.com
playstation.com
portal05.commerzbanking.de
preschoicefinancial.com
priv.activobank7.pt/v10/PT/jsp/privado/autenticacao.jsp
prudential.com.hk
puma.com
queensu.ca
quickbooks.com
raiffeisendirect.
recruitsoft.com
register.com
reuters.com
rogers.com
s-central.com.au
safeform.com
safesite.com
salesforce.com
sammikk.com
samsunggsbn.com
sap-ag.de
sbc.com
schemas.microsoft.com
sciamdigital.com
scicollege.org.sg
searchfit.org
seatbooker.net
sebra.com
sec.westpactrust.co.nz/IOLB/csReq
securecart.net
secureordering.com
secureserver.net
securewebexchange.com
securitymetrics.com
selfmgmt.com
senecac.on.ca
sephora.com
serviticket.com
sfa.prudential.com.sg
sfgov.org
shaw.ca
sheridanc.on.ca
shkcorpws5.shkp.com
shopadmin.daum.net
shoppersoptimum.ca
shopundco.com
shutterfly.com
sierraclub.org
signup.sprint.ca
silicon-power.com
simplyhotels.com
sims.sfu.ca
singaporeair.com
singnet.com.sg
site-secure.com
sms.ac
snapfish.com
soccer.com
solo3.nordea.fi
sony
soundclick.com
sparkart.com
sparknotes.com
speedera.net
spiritair.com
sportingbet.com
sportodds.com
sqnet.com.sg
srp.org.sg
ssdcl.com.sg
stanfordalumni.org
starbiz.net.sg
starhubshop.com.sg
streamload.com
supergo.com
swamp.lan
symantec
sympatico.ca
t-mobile.co.uk
t-mobile.com
tatrabanka.sk
tbihosting.com
tdcwww.net
techdata.com
telpacific.com.au
telstra.com
telusmobility.com
tepore.com
theaa.com
there.com
thewheelconnection.com
three.com.hk
ti.com
ticketmaster.com
tickle.com
tirerack.com
tm.net.my
tmi-wwa.com
towerhobbies.com
travel.com.au
travel.priceline.com
travelclub.swiss.com
travelcommunications.co.uk
travelgalileo.co.uk
trekblue.com
trivita.com
trust1.com
trustinternational.com
tsn.cc
ubc.ca
ubi.com
ucas.co.uk
ultrastar.com
unb.ca
united.intranet.ual.com
unixcore.com
uoguelph.ca
uottawa.ca
upjs.sk
ups.com
usafis.org
uscden.net
uscitizenship.info
uwaterloo.ca
uwindsor.ca
va-bank.com
vandyke.com
vasa.slsp.sk
veloz.com
victoriassecret.com
videotron.com
virginblue.com.au
virginmobileusa.com
vodafone
vodafone.co.uk
vpost.com.sg
vutbr.cz
w2express.com
walgreens.com
watchguard.com
web.da-us.citibank.com/cgi-bin/citifi/scripts/login2/login.jsp
webassign.net
webeweb.net
webtrendslive.com
webzdarma.cz
welcome9.smile.co.uk
western-inventory.com
willhill.com
wn.com.au
wob.deutsche-bank.de
worldgaming.net
worldwinner.com
worth1000.com
wrem.sis.yorku.ca
ww2.homebanking-berlin.de
www.anf.pt
www.banking.hsbc.com.hk
www.bankofscotlandhalifax-online.co.uk
www.bankofscotlandhalifax-online.co.uk
www.bpinet.pt/verificaMCF.asp
www.cahoot.com
www.commerzbank.de
www.e-financas.gov.pt
www.ebank.hsbc.co.uk
www.ebank.hsbc.co.uk/logonindex.jsp
www.ebank.hsbc.co.uk/servlet/com.hsbc.ib.app.pib.logon.servlet.OnLogonVerificationServle
www.ebank.hsbc.com.hk
www.ebank.hsbc.com.hk/servlet/Logon
www.ebank.hsbc.com.hk/servlet/onlinehsbc
www.halifax-online.co.uk
www.halifax-online.co.uk/_mem_bin/UMLogonVerify.asp
www.halifax.co.uk
www.hsbc.com.hk
www.jasonkarldavis.com
www.lloydstsb.co.uk
www.millenniumbcp.com
www.millenniumbcp.pt
www.national.com.au/cgi-bin/7614_1.pl
www.nationwide.co.uk
www.natwest.com
www.nwolb.com
www.nwolb.com/secure/default.asp
www.portaldocidadao.pt
www.rbs.co.uk
www.rbsdigital.com
www.rbsdigital.com/secure/default.asp
www.segurodirecto.pt
www.ukpersonal.hsbc.com
www.vr-ebanking.de
www.vr-web.de
xs4all.nl
xtra.co.nz
yagma.com
ych.com
yes.com.hk
yesasia.com
yimg.com
yorku.ca
yourastrologysite.com
ytv.com
zoovy.com
zwallet.com

Troj/BankAsh-E may display fake webpages when it detects an attempt to connect to certain sites.

download Try Sophos products for free
Download now