high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | December 2004 (3.88) |
| Protection available since | 26 October 2004 09:12:51 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/IBank-B is a data stealing Trojan which captures confidential information and then sends it to a remote location.
When selected internet banking and money-related web pages are loaded, Troj/IBank-B attempts to capture text within these pages, including text entered into edit boxes such as usernames, passwords and account information.
Troj/IBank-B typically targets web pages containing text such as:
'abby', 'anz.co', 'ab.lv', 'baltikums', 'bib.lv', 'btb.lv', 'chase.com', 'bank', 'barclays', 'ciphermint', 'e-bullion', 'etrade', 'evocash', 'fethard', 'e gold', 'halifax', 'hipo.lv', 'hsbc', 'if.com', 'lloyds', 'moddus', 'money', 'national.com.au', 'nationet.com', 'natwest', 'neteller', 'nordlb', 'nwolb', 'parex', 'pecunix', 'rietumu', 'rupay', 'suncorp', 'tkb.lv', 'ub.lt', 'westernunion' and 'westpac'.
When first run Troj/IBank-B copies itself to the Windows system folder as msmscc2.exe and creates the following registry entries to run msmscc2.exe on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
mssoul = %SYSTEM%\msmscc2.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
mssoul = %SYSTEM%\msmscc2.exe
Text files are created in the Windows system folder named msoulj1.log, msoull1.log, msoulm1.log and msouls1.log.
Troj/IBank-B also creates a new sub-folder of the system folder named scrkeep\ and the registry entry HKLM\SOFTWARE\Enhancedd\.
|
