high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | April 2005 (3.92) |
| Protection available since | 14 February 2005 13:00:00 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Hostbank-A is a Trojan that modifies the HOSTS file so as to redirect access to certain banking and eBay-related websites.
Troj/Hostbank-A copies itself to the system32\config subfolder of the Windows folder with the filename MSMSGS.EXE and sets the following entry in the registry so as to run itself on system startup, resetting it every 3 seconds:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Scheduler
Troj/Hostbank-A attempts to delete either the file HOSTS in the drivers\etc subfolder of the Windows system folder or the file HOSTS.SAM in the Windows folder.
Troj/Hostbank-A then attempts to write the following lines to the same file in order to redirect web access to the sites:
127.0.0.1 localhost
209.151.89.50 signin.ebay.com
209.151.89.50 signin.ebay.co.uk
209.151.89.50 signin.ebay.fr
209.151.89.50 signin.ebay.de
209.151.89.50 signin.ebay.be
209.151.89.50 signin.ebay.it
209.151.89.50 signin.ebay.ca
209.151.89.50 signin.ebay.nl
209.151.89.50 signin.ebay.com.cn
66.40.25.170 meine.deutsche-bank.de
66.40.25.168 internetbanking.suntrust.com
66.40.25.169 banking.postbank.de
66.40.25.171 ww2.homebanking-berlin.de
Troj/Hostbank-A monitors access to the sites and may delete lines from the HOSTS file when they are accessed.
|
