Malaysian Computer Emergency Response Team

Services

Advisories Cyber999 Help Centre Malware Research Centre Incident Statistics

MyCERT Statistic

Reported Incidents based on General Incident Classification Statistics 2013

Help Centre

Reporting Channels

Definitions of Incidents

Cyber999 - Service Level Agreement

MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2004

MA-080.082004: MyCERT Special Alert - PWSteal.Banker.B Trojan

Original Issue Date: 17th August 2004

MyCERT had received information from our foreign counterpart regarding the discovery of a server which stores usernames and passwords information of Malaysian E-banking accounts and ISPs account.

The username and password information gathered from an infected machine was uploaded to the particular server by a Trojan's activity on the infected machines. The Trojan is known as PWSteal.Banker.B Trojan, a trojan found on 17th June 2004 (US Pacific Time).

PWSteal.Banker.B is a Trojan horse that attempts to steal financial information from browser windows with banking-related titles.

This Trojan runs on Windows 95, 98, ME, NT, 2000 and XP. Once executed on an infected machine, the Trojan creates the following files in the system:

%System%\lsd_f3.dll
%System%\iesprt.sys or %System%\timestamp.sys

And adds the following values to the Registry:

"Dllname" = "lsd_f3.dll"
"EntryPoint" = "LSD_F3"
"StackSize" = "0"

to the registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MPRServices\TestService
"Dllname" = "lsd_f3.dll"
"Startup" = "LSD_F3"
"Impersonate" = "1"
"Asynchronous" = "1"
"MaxWait" = "1"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\f3dsl

Adds the value:

"Impersonate" = ""

The Lsd_f3.dll file created in the System attempts to scan the title bars of all open Web browser windows for banking or money references.

The Trojan watches window title bars for the following strings:

2checkout
account
auction
casino
currency
e-bullion
e-gold
enter
exchange
ezcmoney
finance
forex
GoldMoney
INTGold
login
merchant
money
NetPay
payment
paypal
secure
sportbook
start
StormPay
Transfer
westpac

If it finds a match, it will capture all the information from these windows, such as the details entered into documents or Web forms, and uploads it to a remote Web site. It is also capable of downloading an update of itself.

Detection

An updated version of Anti-virus software is able to detect the trojan. Users may try to scan using the free Panda Active Scan:

Panda Active Scan
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Removal

You need to manually clean up an infected machine with this Trojan. The steps are:

Delete all files created by the Trojan
Delete the valued added in the registry
Restart your machine in Safe Mode and delete the files
Restart your machine
Re-scan with an updated version of Anti-virus software to verify the machine is clean

Prevention

Download and install Anti-virus softwares in your PCs and keep them updated regularly with latest signature files.
If you are using Internet Explorer, make sure you patch it accordingly.
Pls be careful in using Kazaa, chat programs and other P2P applications as malicious codes, i.e Trojan Horses can be transmitted through these programs and applications.
Be more careful in handling files/attachments over the Internet/emails. If you need to open/execute them, make sure you scan them with an updated version of anti-virus softwares or with Trojan scanners.

References:

Symantec
http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.banker.b.html
Trend Micro
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BANKER.D

MyCERT can be reached for assistance at:

Email:
Tel: 03-89961901
Fax: 03-89960827
SMS: 019-2813801