high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 2 June 2006 05:25:26 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/BankAsh-Q is an information stealing Trojan for the Windows platform.
Troj/BankAsh-Q includes functionalities to:
- download, install and run new software
- steal information
- terminate processes related to Giant AntiSpyware
- terminate processes and remove registry entries related to security and anti-virus processes
- modify the HOSTS file
When Troj/BankAsh-Q is installed it creates the file <System>\rwl.dll and this file is detected as Troj/BankAsh-Q.
The file ash2.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:
HKCR\CLSID\(33E8230A-AFA8-4db4-8684-CBA061C98D1E)
HKCR\Interface\(33E8230A-AFA8-4db4-8684-CBA061C98D1E)
HKCR\Interface\(35A22488-DCFE-459C-A811-CFC81687B404)
HKCR\TypeLib\(DF7B63CA-0287-4FEC-AD99-598519A78E57)
Troj/BankAsh-Q will spy on a user's internet access. When certain banking and finance websites are accessed, the Trojan can display a fake login page or log keyboard presses in order to steal username and password information.
Periodically, Troj/BankAsh-Q will send the stolen details to a remote server.
Troj/BankAsh-Q may modify the file <System>\drivers\etc\hosts.
Registry entries are created under:
HKCR\Classes\WriteFile.WriteFile
HKCR\Classes\WriteFile.WriteFile.1
|
