high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Protection available since | 27 July 2005 22:09:29 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Change any data that may have become compromised.
Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the Trojan has made.
More Information
Troj/BankSnif-A is a Trojan for the Windows platform.
When run, Troj/BankSnif-A creates the following registry entries:
HKCR\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}
<several entries>
HKCR\Msxml32.DOMDocument
@
Msxml32DOMDocument Class
HKCR\Msxml32.DOMDocument\CLSID
@
{6E28339B-7A2A-47B6-AEB2-46BA53782379}
HKCR\Msxml32.DOMDocument\CurVer
@
Msxml32.DOMDocument.1
HKCR\Msxml32.DOMDocument.1
@
Msxml32DOMDocument Class
HKCR\Msxml32.DOMDocument.1\CLSID
@
{6E28339B-7A2A-47B6-AEB2-46BA53782379}
The Trojan monitors HTTP requests for certain banking sites and steals login details. The Trojan captures login data for the following domains:
accounts1.keybank.com
accounts4.keybank.com
activa.caixagalicia.es
activia.caixagalicia.es
aibgbonline.co.uk
bancae.caixapenedes.com
bancopopular.es
banesnet.banesto.es
banesnt.banesto.es
bank.wayser.net
banking.lbbw.de
banking.postbank.de
banking.seb.de
bbvanet.com
bendigobank.com.au
berliner-volksbank.de
bmo.com
bv-i.bancodevalencia.es
bw7.sparkasse-banking.de
caixasabadell.net
cajamar.es
ccm.es
cib.ibanking-services.com
cibconline.cibc.com
co.caixabank.fr
commerzbanking.de
connect.skyfi.com
coventrybuildingsociety.co.uk
customer.ibc
dresdner-privat.de
ebay.co
eds.usersonlnet.com
esecure.regionsnet.com
etimebanker.bankofthewest.com
etrade.com
extensive.bancalombarda.it
extranet.banesto.es
extrant.banesto.es
fastnetoffice.asbbank.co.nz
firsttennessee.com
fleethomelink.fleet.com
fnc.asbbank.co.nz
fni.asbbank.co.nz
global1.onlinebank.com
hsbc.co.uk
ib.national.com.au
ibank.barclays.co.uk
ibank.cahoot.com
ibanking.seb.de
idbnet.barclays.co.uk
iibank.barclays.co.uk
iibank.cahoot.com
inet.barclays.co.uk
inet.southtrustonlinebanking.com
internetbank.intesabci.it
internetbanking.gad.de
internetbanking.intesabci.it
isec.westpactrust.co.nz
izb.de
kunden-service.lbs.de
lb.national.com.au
lloydstsb.com
login.365online.com
login.caixasabadell.net
login.cajamar.es
login.ccfcuonline.org
login.ccm.es
login.compassweb.com
login.ebank.offshore.hsbc.co.je
login.forumcuonline.com
login.iblogin.com
login.personal.wamu.com
login.webbanking.comerica.com
logon.bankone.com
logon.firstmeritib.com
logon.ibc
logon.members1st.org
logon.personal.wamu.com
lrp.sparkasse-banking.de
meine.deutsche-bank.de
miwebbusbank.ebanking-services.com
my.hypovereinsbank.de
mybank.alliance-leicester.co.uk
mybank.bybank.it
mybranch.lafcu.com
myonlineaccounts2.abbeynational.co.uk
nbnz.co.nz
netbank.commbank.com.au
ob2.nationet.com
oi.cajamadrid.es
oii.cajamadrid.es
olb.westpac.com.au
olb2.nationet.com
ollb.westpac.com.au
online-business.lloydstsb.co.uk
online-offshore.lloydstsb.com
online.compassweb.com
online.lloydstsb.co.uk
online.wellsfargo.com
onlineaccounts2.abbeynational.co.uk
onlinebanking.bankofoklahoma.com
onlinebanking.huntington.com
onlinebanking.lasallebank.com
onlinebanking.norisbank.de
onlineid.bankofamerica.com
paypal.co
pcb.peoples.com
pcbs.peoples.com
portal09.commerzbanking.de
rollb.associatedbank.com
royalbank.com
rrp.sparkasse-banking.de
scotiaonline.scotiabank.com
sec.westpactrust.co.nz
secure.mvnt4.com
secure.regionsnet.com
secure.tdbanknorth.com
southtrustonlinebanking.com
sparkasse-banking.de
teacherscreditunion.com.au
unicaja.es
upb.unionplanters.com
upib.unionplanters.com
usbank.com
web.banking.firsttennessee.com
webbanking.comerica.com
welcome.smile.co.uk
welcome8.smile.co.uk
wvw.citizensbankonline.com
wvw.csebanking.it
wvw.e-gold.com
wvw.etrade.com
wvw.internetbanking.gad.de
wvw.kunden-service.lbs.de
wvw.paypal.com
wvw.totallyfreebanking.com
ww.bayernlb.de
ww.bics.fr
ww.cibconline.cibc.com
ww.creditmutuel.fr
ww.e-banking.helaba.de
ww.extensive.bancalombarda.it
ww.hsbc.co.uk
ww.hsh-nordbank.de
ww.isideonline.it
ww.mynfbonline.com
ww.unicaja.es
ww1.bendigobank.com.au
ww1.nwolb.com
ww1.onlinebanking.iombank.com
ww1.portal.izb.de
ww1.royalbank.com
ww1.www.rbsdigital.com
ww2.anz.com
ww2.bankofscotlandhalifax-online.co.uk
ww2.berliner-volksbank.de
ww2.dresdner-privat.de
ww2.homebanking-
ww2.homebanking-berlin.de
ww2.homebanking-niedersachsen.de
ww2.homebanking-sparkasse.de
ww2.mybranch.lafcu.com
ww2.nbnz.co.nz
ww2.netbank.commbank.com.au
ww2.onlinebanking.lasallebank.com
ww2.scotiaonline.scotiabank.com
ww2.teacherscreditunion.com.au
ww2.vr-networld-ebanking.de
ww3.bbvanet.com
ww3.connect.skyfi.com
ww3.etimebanker.bankofthewest.com
ww3.homebanking-berlin.de
ww3.homebanking-niedersachsen.de
ww3.online-business.lloydstsb.co.uk
ww3.online-offshore.lloydstsb.com
ww3.online.lloydstsb.co.uk
ww3.onlinebanking.natwestoffshore.com
ww3.sella.it
ww4.fleethomelink.fleet.com
ww5.bmo.com
ww7.homebanking-berlin.de
www.365online.com
www.anz.com
www.associatedbank.com
www.bancae.caixapenedes.com
www.bank.alliance-leicester.co.uk
www.banking.lbbw.de
www.banking.postbank.de
www.bankofscotlandhalifax-online.co.uk
www.bankone.com
www.bayernlb.de
www.bics.fr
www.bvi.bancodevalencia.es
www.ccfcuonline.org
www.cib.ibanking-services.com
www.citizensbankonline.com
www.co.caixabank.fr
www.creditmutuel.fr
www.csebanking.it
www.e-banking.helaba.de
www.e-gold.com
www.ebank.offshore.hsbc.co.je
www.eds.usersonlnet.com
www.firstmeritib.com
www.forumcuonline.com
www.global1.onlinebank.com
www.hsh-nordbank.de
www.iblogin.com
www.isideonline.it
www.lloydstsb.com
www.meine.deutsche-bank.de
www.members1st.org
www.miwebbusbank.ebanking-services.com
www.my.hypovereinsbank.de
www.mybank.bybank.it
www.mynfbonline.com
www.nwolb.com
www.online.wellsfargo.com
www.onlinebanking.bankofoklahoma.com
www.onlinebanking.huntington.com
www.onlinebanking.iombank.com
www.onlinebanking.natwestoffshore.com
www.onlinebanking.norisbank.de
www.onlineid.bankofamerica.com
www.rbsdigital.com
www.secure.mvnt4.com
www.secure.tdbanknorth.com
www.sella.it
www.signin.ebay.com
www.totallyfreebanking.com
www3.aibgbonline.co.uk
www3.coventrybuildingsociety.co.uk
www5.bancopopular.es
www6.usbank.com
The Trojan modifies the HOSTS file (typically located in <Windows system folder>\drivers\etc\HOSTS) redirecting requests for the previously mentioned domains to an alternate site where remote attackers then intercept the data.
|
