Full description

Virus:	TR/PSW.Steal.46592
Date discovered:	03/11/2006
Type:	Trojan
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	94.208 Bytes
MD5 checksum:	50dd1445ede1d7aa737a7943a6440811
VDF version:	6.36.00.207
IVDF version:	6.36.00.231 - Friday, November 3, 2006

General Method of propagation:
   • No own spreading routine

Aliases:
   • Kaspersky: Trojan-Spy.Win32.Banker.cew
   • F-Secure: Trojan-Spy.Win32.Banker.cew
   • Sophos: Troj/Nethell-G

Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops a file
   • Drops a malicious file
   • Records keystrokes
   • Registry modification
   • Steals information

Files It deletes the initially executed copy of itself.

The following files are created:

– %SYSDIR%\nethelper.xml
– %SYSDIR%\commandhelper.xml
– %SYSDIR%\conf.dat
– %SYSDIR%\nethelper.dll Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.Steal.46592

– %SYSDIR%\accs.txt This file contains collected keystrokes.
– %SYSDIR%\fulllog.txt This file contains collected keystrokes.
– %SYSDIR%\log.txt This file contains collected keystrokes.

Registry It registers a browser helper object (BHO) by adding the following key:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{1593C741-C011-46FE-99FC-3805C28328BA}]

The following registry keys are added:

– [HKCR\NetHelper.Hook]
   • @="Hook Class"

– [HKCR\NetHelper.Hook\CLSID]
   • @="{1593C741-C011-46FE-99FC-3805C28328BA}"

– [HKCR\NetHelper.Hook\CurVer]
   • @="NetHelper.Hook.1"

– [HKCR\NetHelper.Hook.1]
   • @="Hook Class"

– [HKCR\NetHelper.Hook.1\CLSID]
   • @="{1593C741-C011-46FE-99FC-3805C28328BA}"

– [HKCR\CLSID\{1593C741-C011-46FE-99FC-3805C28328BA}]
   • @="Hook Class"

– [HKCR\CLSID\{1593C741-C011-46FE-99FC-3805C28328BA}\InprocServer32]
   • @="%SYSDIR%\nethelper.dll"
   • "ThreadingModel"="Apartment"

– [HKCR\CLSID\{1593C741-C011-46FE-99FC-3805C28328BA}\ProgID]
   • @="NetHelper.Hook.1"

– [HKCR\CLSID\{1593C741-C011-46FE-99FC-3805C28328BA}\Programmable]
– [HKCR\CLSID\{1593C741-C011-46FE-99FC-3805C28328BA}\TypeLib]
   • @="{0324D9F1-2199-4424-98C7-A0E8CC45743B}"

– [HKCR\CLSID\{1593C741-C011-46FE-99FC-3805C28328BA}\
   VersionIndependentProgID]
   • @="NetHelper.Hook"

– [HKCR\TypeLib\{0324D9F1-2199-4424-98C7-A0E8CC45743B}]
– [HKCR\TypeLib\{0324D9F1-2199-4424-98C7-A0E8CC45743B}\1.0]
   • @="NetHelper 1.0 Type Library"

– [HKCR\TypeLib\{0324D9F1-2199-4424-98C7-A0E8CC45743B}\1.0\0]
– [HKCR\TypeLib\{0324D9F1-2199-4424-98C7-A0E8CC45743B}\1.0\0\win32]
   • @="%SYSDIR%\nethelper.dll"

– [HKCR\TypeLib\{0324D9F1-2199-4424-98C7-A0E8CC45743B}\1.0\FLAGS]
   • @="0"

– [HKCR\TypeLib\{0324D9F1-2199-4424-98C7-A0E8CC45743B}\1.0\HELPDIR]
   • @="%SYSDIR%\"

– [HKCR\Interface\{54DCBD5A-3FDC-490F-B9AE-5B9DBAA39BEC}]
   • @="IHook"

– [HKCR\Interface\{54DCBD5A-3FDC-490F-B9AE-5B9DBAA39BEC}\
   ProxyStubClsid]
   • @="{00020424-0000-0000-C000-000000000046}"

– [HKCR\Interface\{54DCBD5A-3FDC-490F-B9AE-5B9DBAA39BEC}\
   ProxyStubClsid32]
   • @="{00020424-0000-0000-C000-000000000046}"

– [HKCR\Interface\{54DCBD5A-3FDC-490F-B9AE-5B9DBAA39BEC}\TypeLib]
   • @="{0324D9F1-2199-4424-98C7-A0E8CC45743B}"
   • "Version"="1.0"

Backdoor Contact server:
All of the following:
   • http://noviid.com/**********
   • http://noviid.com/**********
   • http://noviid.com/**********
   • http://noviid.com/**********
   • http://noviid.com/**********
   • http://noviid.com/**********

As a result it may send some information. This is done via the HTTP GET request on a PHP script.

Sends information about:
    • Collected information described in stealing section

Stealing It tries to steal the following information:
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– A logging routine is started after one of the following websites are visited:
   • https://www3.netbank.commbank.com.au/netbank/bankmain
   • ib.national.com.au/nabib/loginProcess.ctl
   • www.national.au

– It captures:
    • Login information

File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Adriana Popa on Monday, November 6, 2006
Description updated by Adriana Popa on Tuesday, November 7, 2006

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools