high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | December 2004 (3.88) |
| Protection available since | 11 November 2004 04:39:06 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Banker-AJ is an information stealing Trojan. The Trojan monitors a user's internet transactions in an attempt to steal passwords and other data related to online banking and other financial transactions. Troj/Banker-AJ is an information stealing Trojan. The Trojan monitors a user's internet transactions in an attempt to steal passwords and other data related to online banking and other financial transactions.
When run the Trojan copies itself to the Windows folder as winuser.exe and to the Windows system folder as userhandler.exe. Troj/Banker-AJ monitors the user's internet by logging information entered into web pages with any of the following titles or URLS:
Abbey
anking
Barclays IBank
CCBill Secure Signup Form
Citibank Internet Banking
Digital Banking
Egg Security Login
Enter memorable information
Equifax UK Commercial
Experian candidate verifier
Five-digit passcode
HSBC Internet Banking
iBill Payment Page
LloydsTSB online - Welcome
Login
Logon
Logon-PinPass.asp
membership details below
Nationwide Building Society - Internet banking
NatWest OnLine Banking
Online Service
Scotia OnLine Sign-On
Transfer to another organisation - Create
welcome to smile banking
http://www.candidateverifier.com/
https://
https://banking.halifax-online.co.uk/Servicing/App/CreateBillPayment.asp
https://bill.ccbill.com/jpost/signup.cgi
https://cukehb2.cd.citibank.co.uk/HomeBankingSecure/Pers/StartSession.asp
https://ibank.barclays.co.uk/fp/
https://ibank.barclays.co.uk/fp/
https://myonlineaccounts2.abbeynational.co.uk/CentralLogonWeb/Logon?action=prepare
https://myonlineaccounts2.abbeynational.co.uk/ffStatic/html/logon.html
https://new.egg.com/security/customer/logon?URI=https://new.egg.com/customer/youraccounts
https://olb2.nationet.com/default
https://online-business.lloydstsb.co.uk/customer.ibc
https://online-business.lloydstsb.co.uk/logon.ibc
https://online.lloydstsb.co.uk/customer.ibc
https://online.lloydstsb.co.uk/logon.ibc
https://secure.ibill.com/cgi-win/ccard/ccard.exe
https://welcome3.smile.co.uk/servlet/Smile5Banking
https://www.ebank.hsbc.co.uk/logonindex.jsp
https://www.equifax.co.uk/equifax/commercial/index.html
https://www.halifax-online.co.uk/_mem_bin/formslogin.asp
https://www.natwestfastpay.com/service/default.jsp?
https://www.nwolb.com/secure/default.asp
https://www.nwolb.com/secure/logon.asp
https://www.rbsdigital.com/secure/default.asp?refererident=Logon.asp
https://www.scotiaonline.scotiabank.com/online/start.jsp?language=
https://www1.net.hsbc.com/code/public/en_US/login/poplogin.jhtml
Any information stolen by the Trojan is posted to a remote website.
The Trojan ensure that it will be run each time a user logs on by adding the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
UserHandler
<Windows system folder>\userhandler.exe
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
run
<Windows folder>\winuser.exe
|
