Virus | Spyware
Bankash-A
À l'aide de ces sites Web, vous pouvez écarter le virus Bankash-A:
écarter Bankash-A virus
PWSteal.Bankash.A est a stealing password Trojan horse that attempts to usernames and passwords from certain financial web sites lourd. The Trojan will also attempt to disable Microsoft's AntiSpyware le logiciel.Note : Le virus definitions released le prieur to February 10,.2005 may detect this threat cendre PWSteal. Trojan.
Also Known cendre: Trojan-Downloader.Win32.Small.ain (Kaspersky Lab ], Pws-Banker.j [ McAfee ], Troj/a bankAsh [ Sophos ]
Type : Trojan Horse
Infection Length: 171,008 les bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows me, Windows NT, Windows le serveur 2003, Windows XP
Le virus Definitions (Updater intelligent) *
February 10,.2005
Le virus Definitions (LiveUpdate™) **
February 16,.2005
*
Updater definitions are intelligent released daily, but require manual télécharge and installation.
Click to entier télécharge manually.
**
LiveUpdate virus definitions l'are usually released every Wednesday.
Click for instructions on using LiveUpdate entier.
Sauvage
Number ou infections: 0 - 49
Number ou sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Moderate
Threat Metrics
Sauvagement:
Low
Damage:
Le médium
Distribution:
Low
Damage
Payload Trigger: n/a
Payload: n/a
Large scale mailing d'e: n/a
Deletes embouteillages: Deletes embouteillages.
Modifies embouteillages: Modifies the Hosts l'embouteillage.
Degrades spectacle: n/a
Causes système instability: Ends processes.
Releases confidential informations: Steals usernames and passwords for several financial web sites.
Compromises security settings: Disables Microsoft's AntiSpyware le logiciel.
Distribution
Le sujet ou e-mail: n/a
Ou attachment désagréable: n/a
Size ou attachment: n/a
Time stamp ou attachment: n/a
Ports: n/a
Shared drives: n/a
Target ou infection: n/a
Once PWSteal.Bankash.A est executed, it performs the following actions :
Drops the embouteillage %System%\ASH. DLL.
Note : %System% est a variable that refers to the le système dépliant. By this par défaut est C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Creates the following registry subkeys :
HKEY_CLASSES_ROOT\CLSID\{C6176B04-8896-4446-9939-E00EE94C420F}
HKEY_CLASSES_ROOT\AntiSpy. AntiSpy
HKEY_CLASSES_ROOT\AntiSpy.AntiSpy.1
Adds the value :
(par défaut)"=" IIEHlprObj "
to the registry subkey :
HKEY_CLASSES_ROOT\Interface\{17A45F93-AEC8-440B-AC33-1BA9CC3192AC}
to registre its dll embouteillage.
Adds the value :
_ "(par défaut)" = "CENDRE 0.96 type Library"
to the registry subkey :
HKEY_CLASSES_ROOT\TypeLib\{D941DA88-1DAA-4ED2-8946-ABABCF2A4C3F}\1.0
to registre its dll embouteillage.
Creates the following registry subkey :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Explorer\Browser par Object\{C6176B04-8896-4446-9939-E00EE94C420F}
so the dll l'embouteillage est automatically loaded by Windows Explorer.
Modifies the value :
Le "page démarre" = "about:blank"
dans the registry subkeys :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
so that internet Explorer opens to the "about:blank" page.
Les affichages fake web les pages and attempts to user names and passwords when internet Explorer accesses the following financial lourd web sites :
ibank.barclays.co.uk
ibank.cahoot.com
online.co.uk www.halifax
www.ebank.hsbc.co.uk
www.ebank.hsbc.com.hk
online.lloydstsb.co.uk
olb2.nationet.com
www.nwolb.com
welcome9.smile.co.uk
sec.westpactrust.co.nz
olb.westpactrust.com.au
www.rbsdigital.com
myonlineaccounts2.abbeynational.co.uk
web.da-us.citibank.com
www.bpinet.pt
www.activobank7.pt
www.national.com.au
www.iblogin.com
Periodically uploads the ou captured usernames and passwords to a lourd predetermined FTP serveur.
Confidential information such lourd la cendre e-mail détails, passwords, HTTP requests posted to financial web les sites, and Microsoft Outlook Express account settings. This confidential information est saved dans the following embouteillages and sent to a remote attacker via FTP :
%Windir%\email.log
%Windir%\pass.log
%Windir%\req.log
Note : %Windir% est a variable that refers to the Windows installation dépliant. By, this par défaut sont C:\Windows or C:\Winnt.
Deletes the following subkey :
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\gcasServ
dans la commande to disable the Microsoft AntiSpyware application.
Ends the following processes, which are part ou the Microsoft AntiSpyware application :
GCASCLEANER
GCASDTSERV
GCASINSTALLHELPER
GCASNOTICE
GCASSERV
GCASSERVALERT
GCASSWUPDATER
GCIPTOHOSTQUEUE
GIANTANTISPYWAREMAIN
GIANTANTISPYWAREUPDATER
Deletes all the les embouteillages dans the C:\Program Files\Microsoft AntiSpyware le dépliant.
Prevents users from viewing warning messages from the Microsoft AntiSpyware application.
Modifies the Hosts l'embouteillage to prevent le access to several le web sites.
Downloads and installs updates for the threat.
Attempts to unregister and then delete the %System%\IEHELPER. DLL l'embouteillage.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "meilleures pratiques" :
Turn off and remove unneeded services. By, many operating systems install auxiliary services par défaut that are not critical, such cendre an FTP le serveur, telnet, and a web le serveur. Le these services are les avenues ou attack. If they are removed, blended threats have le less avenues ou attack and you le have fewer services to maintain through patch updates.
If a blended threat exploits one le or more network services, disable, le or block access to, those services until a patch est applied.
Always keep your patch levels up-to-date, especially on ordinateurs that gambade public services and l'are accessible through the firewall, such la cendre HTTP, FTP, mail, and DNS services (for example, all Windows-based ordinateurs should have the current service Pack installed.). Additionally, please apply any security updates that l'are mentioned dans this writeup, dans trusted Security bulletins, le or on vendor le web sites.
Enforce a password policy. Passwords make it difficult to crack complexe password embouteillages on compromised ordinateurs. This helps to prevent or limit damage when a l'ordinateur est compromised.
Configure your e-mail le serveur to block le or remove e-mail that contains embouteillage attachments that are commonly used to spread viruses, such cendre vbs, bat, exe, pif and scr les embouteillages.
Isolate infected ordinateurs quickly to prevent further compromising your organization. Perform a forensic analysis and restore the ordinateurs using trusted médias.
Entraîner employees not to attachments unless they l'are expecting them. Also, le do not execute le logiciel that est downloaded from the internet unless it les has de jambe scanned for viruses. Simply visiting a compromised web site can cause infection if certain browser vulnerabilities are not patched.
The following instructions pertain to all current and Symantec antivirus produit récent, including the Symantec AntiVirus and la tonne de taule AntiVirus produit lines.
Disable système Restore (Windows me/XP).
Update the virus definitions.
Le run a full le système scan and delete all the les embouteillages detected cendre PWSteal.Bankash.A.
Delete the value that a été added to the registry.
Reset the internet Explorer démarre le page.
For specific détails on each ou le these steps, read the following instructions.
1. To disable système Restore (Windows me/XP)
If you are running Windows me le or Windows XP, nous that you temporarily turn off système recommend Restore. Windows me/XP uses this feature, which sont enabled by, to restore the embouteillages on your ordinateur par défaut dans le cas they become damaged. If a virus, le ver, le or Trojan infects a ordinateur, le système Restore may l'arrière up the le virus, le ver, le or Trojan on the ordinateur.
Windows prevents outside programs, including antivirus programs, from modifying système Restore. Therefore, antivirus programs or les outils cannot remove threats dans the système Restore le dépliant. _ cendre a result, système Restore has the potential ou restoring an infected embouteillage on your ordinateur, pair after you have cleaned the infected embouteillage from all the other locations.
Also, a virus scan may detect a threat dans the système Restore le dépliant though you pair le have removed the threat.
For instructions on how to turn off système Restore, read your Windows documentation, le or one ou the following articles :
"How to disable le or enable Windows me le système Restore"
"How to turn off or turn on Windows XP le système Restore"
Note : When you are completely finished with the removal procédure and are satisfied that the threat les has de jambe removed, re-enable système Restore by following the instructions dans the aforementioned document.
For additional information, and an alternative to disabling Windows me le système Restore, see the Microsoft Knowledge la base article,"Antivirus outils Cannot Infected embouteillages propre dans the _ Restore le dépliant," Article ID : Q263455.
2. To update the le virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our les serveurs. There are two ways to obtain the most virus récent definitions :
Running LiveUpdate, which est the easiest way to obtain virus definitions : Le these virus definitions l'are posted to the LiveUpdate serveurs once each a cédé (usually on Wednesdays), unless there a major virus outbreak est. To determine whether definitions for this threat are available by LiveUpdate, refer to the virus Definitions (LiveUpdate).
Downloading the definitions using the Updater intelligent : The Updater virus intelligent definitions are posted daily. You should télécharge the definitions from the Symantec Security Response le web site and manually install them. To determine whether definitions for this threat are available by the Updater intelligent, refer to the le virus Definitions (Updater intelligent).
The Updater virus intelligent definitions are available : Read"How to update virus definition les embouteillages using the Updater intelligent"for detailed instructions.
Note : _ If you see an error, such cendre LU1418, when you try to run LiveUpdate and you cannot get the web site hosting the intelligent Updater, it être likely that the ver has modified the Hosts embouteillage. You can either télécharge and install LiveUpdate 2.5, which can remove Symantec entries from that l'embouteillage, le or you can edit it yourself. See the instructions for both dans the "Additional Information" section below.
3. To scan for and delete the infected embouteillages
Le départ your Symantec antivirus program and make sure that it est configured to scan all the embouteillages.
For tonne de taule AntiVirus consumer produit : Read the document, "How to configure la tonne de taule AntiVirus to scan all embouteillages."
For Symantec AntiVirus Enterprise produit : _ Read the document, "How to verify that a Symantec des sociétés antivirus produit être série to scan all embouteillage."
Le run a full le système scan.
If any embouteillages l'are detected cendre infected with PWSteal.Bankash.A, click Delete.
Note : If your Symantec antivirus produit rapports that it cannot delete an infected l'embouteillage, Windows may be using the embouteillage. To fix this, le run the scan dans le safe mode. For instructions, read the le document, "How to démarre the l'ordinateur dans le safe mode." Once you have restarted dans le safe mode, le run the scan again.
After the embouteillages l'are deleted, restart the ordinateur dans Normal mode and proceed with section 4.
4. To delete the value from the registry
Important : Symantec strongly recommends that you arrière up the registry before making any changes to it. Changes to the registry can result incorrect dans permanent dates les or corrupted détaché les embouteillages. Modify the specified subkeys only. Read the document,"How to make a backup ou the Windows registry," for instructions.
Click démarre > le run.
_ type regedit
Then click O.K..
Navigate to the subkey :
HKEY_CLASSES_ROOT\Interface\{17A45F93-AEC8-440B-AC33-1BA9CC3192AC}
Dans the right pane, delete the value :
(par défaut)"=" IIEHlprObj "
Navigate to the subkey :
HKEY_CLASSES_ROOT\TypeLib\{D941DA88-1DAA-4ED2-8946-ABABCF2A4C3F}\1.0
Dans the right pane, delete the value :
_ "(par défaut)" = "CENDRE 0.96 type Library"
Navigate to and delete the following subkeys :
HKEY_CLASSES_ROOT\CLSID\{C6176B04-8896-4446-9939-E00EE94C420F}
HKEY_CLASSES_ROOT\AntiSpy. AntiSpy
HKEY_CLASSES_ROOT\AntiSpy.AntiSpy.1
Exit the Registry Editor.
5. To reset the internet Explorer démarre le page
Le départ Microsoft internet Explorer.
Connect to the internet, and then go to the page that you car to série de cendre démarre your le page.
Click outils > l'internet Options.
Dans the home page section ou the General onglet, click Use Current > O.K..
Additional information :
Removing entries from the Hosts embouteillage
_ If this threat has modified the Windows Hosts embouteillage, there are two ways to remove these entries :
Install and run the current version ou LiveUpdate. This will remove only the entries that refer to Symantec domains.
Manually edit the Hosts l'embouteillage and remove all the entries that the ver added.
To run the current version ou LiveUpdate
Click télécharge LiveUpdate.
Note : If you are not reading this le web page on the ordinateur that est getting the error notice, the address for downloading the embouteillage est :
ftp://ftp.symantec.com/public/english_us_canada/liveupdate/lusetup.exe
_ If necessary, you can type this address into the address bar ou the problem ordinateur. Changes to the Hosts l'embouteillage will not le bouchon you from getting to this le site.
Save the embouteillage to the Windows le sommet de bureau.
Double-click the lusetup.exe icon on the le sommet de bureau to install LiveUpdate.
Le run LiveUpdate.
Did you see the message "LU1860 : _ LiveUpdate has detected a potential security compromise on your ordinateur"?
If you did, fait attention LiveUpdate "Remove these entries from the hosts embouteillages" (Recommended).
This should allow LiveUpdate to run.
If you did not, that ont été not the cause ou the problem. Le return to the Removal section.
To manually edit the Hosts embouteillage and remove all the entries that the ver added
Note : The location ou the Hosts embouteillage may vary and some ordinateurs may not have this l'embouteillage. For example, if the embouteillage exists dans Windows 98, it will usually be dans C:\Windows ; and it est located dans the C:\WINNT\system32\drivers\etc dépliant dans Windows 2000. There may also be multiple copies ou this embouteillage dans different locations.
Follow the instructions for your operating système :
Windows 95/98/Me/NT/2000
Click démarre, point to Find le or Search, and then click les embouteillages or dépliants.
_ Make sure that "look" être série to (C :) and that "Include subfolders" est checked.
Dans the "Named" or "Search for..." le box, type :
hosts
Click Find Now le or Search Now.
For each Hosts l'embouteillage that you find, right-click the embouteillage, and then click With ouvert.
Deselect the "Always use this program to this program ouvert" vérifie le box.
Scroll through the la ruse ou programs and double-click Notepad.
When the embouteillage opens, delete all entries added by the threat.
Notepad and save your changes when prompted proche.
Windows XP
Click démarre > Search.
Click All embouteillages and dépliants.
Dans the "All or le part ou the embouteillage" box "désagréable", type :
hosts
_ Verify that "look" être série to "Local dur drives" or to (C :).
Click More advanced options.
Vérifier Search le système dépliants.
Vérifier Search subfolders.
Click Search.
Click Find Now le or Search Now.
For each Hosts l'embouteillage that you find, right-click the embouteillage, and then click With ouvert.
Deselect the Always use this program to this program ouvert vérifie le box.
Scroll through the la ruse ou programs and double-click Notepad.
When the embouteillage opens, delete all entries added by the threat.
Notepad and save your changes when prompted proche.