Trojans and password managers

[programmernovice]

I recently discovered something called w7zip.exe on my drive, which is
apparently steals information as it is input and then sends it to
remote sites. My question is, is one better off having a password
manager which puts in the login information automatically, or (from
the standpoint of safety) is it better to enter it manually every time
from the keyboard? I use Roboform, which presumably encrypts password
information. All help appreciated.

 

[PA Bear]

You've got yourself a Troj/Bancban-PX infection (probably from opening an
attachment to a Spam email).

It's entirely possible that all of your passwords, including those used for
online banking, etc., have been compromised, no matter what PWD manager
you're using! I'd change them all ASAP...after getting the machine
cleaned-up.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v1.99.1
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware with
assistance from an expert. **Post your log to
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert
analysis, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.

 

[David H. Lipman]

From: <[email protected]>

| I recently discovered something called w7zip.exe on my drive, which is
| apparently steals information as it is input and then sends it to
| remote sites. My question is, is one better off having a password
| manager which puts in the login information automatically, or (from
| the standpoint of safety) is it better to enter it manually every time
| from the keyboard? I use Roboform, which presumably encrypts password
| information. All help appreciated.

Nope.

If the password stealing Trojan (you'll see PSW in the name of the Trojan such as;
Trojan-PSW.Win32.Maran.eu if it is a password stealer) can work at a level lower or prior to
encryption since it runs on the infected PC. Therefor thezse tools are placebos. The best
action is to practice Safe Hex and use andti virus software and NOT get infected. If yopu
want to "play" on the Internet, play on a scrificial PC where you don't store, process or
access vital/crucial information.

 

[David H. Lipman]

From: "PA Bear" <[email protected]>

| You've got yourself a Troj/Bancban-PX infection (probably from opening an
| attachment to a Spam email).
|

< snip >

Right away I can tell that was a Sophos name.
http://www.sophos.com/security/analyses/trojbancbanpx.html

This is in the family "Banker" and is a password stealer looking for access to bank accounts
where once the password and accounts are obtained, the miscreant makes large withdrawals.

Basically, if the OP is indeed infected with this Trojan then his bank accounts are "At
Risk" and ALL account passwords must be immediately changed and accounts monitored by the OP
and the
Bank(s).

 

[Gary S. Terhune]

Note that changing the passwords using the infected machine will not help.
You need to CALL the bank(s) and CC companies and have them temporarily halt
transactions and/or change the passwords. Second best is to use someone
else's machine to change passwords. And pray that it, too, is not infected.

 

[David H. Lipman]

From: "Gary S. Terhune" <none>

< snip >

| Second best is to use someone else's machine to change passwords. And pray that it, too,
| is not infected.

 

[Guest]

b quick-go to your internet banking site enter the wrong password 3 times
-this caused your password to be deleted =locked down.then you have to set it
up with your bank again-listen and take note of the above responses-i have
=good luck-from past trojan sufferer.

 

[programmernovice]

b quick-go to your internet banking site enter the wrong password 3 times
-this caused your password to be deleted =locked down.then you have to set it
up with your bank again-listen and take note of the above responses-i have
=good luck-from past trojan sufferer.



"David H. Lipman" wrote:

Thanks to you and everyone else who replied. This is stuff is really
scary. I have cleaned up my drive & changed my banking password. So
far, fortunately, nothing has happened. It appears that the trojan
was placed on my drive around 5/15 and I reset my password 5/26, and
I'm curious why so far nothing has happened. How long after infection
do these crooks usually act?

 

[Gary S. Terhune]

Seeing as this gang of trojans is currently infecting machines worldwide, my
guess is that you data went onto a pile and they simply haven't gotten to it
yet.

Note that if you do any online purchasing your credit card info and other
sensitive data may still be at risk. Treat this event as a total identity
theft and ask the ID theft experts what you should do about that.
Personally, I'd get replacement credit cards if they were put at risk.

 

[programmernovice]

Seeing as this gang of trojans is currently infecting machines worldwide, my
guess is that you data went onto a pile and they simply haven't gotten to it
yet.

Note that if you do any online purchasing your credit card info and other
sensitive data may still be at risk. Treat this event as a total identity
theft and ask the ID theft experts what you should do about that.
Personally, I'd get replacement credit cards if they were put at risk.

Many thanks Gary. I believe I will. How is the information usually
transferred to the crooks computers, would a record of the transfer be
somewhere on my machine? Thanks again for your valuable help.

 

[Bob I]

Many thanks Gary. I believe I will. How is the information usually
transferred to the crooks computers, would a record of the transfer be
somewhere on my machine? Thanks again for your valuable help.

It's a "pass through", from earlier in this thread"

And they're getting smarter, from
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-052710-0541-99&tabid=2
<quote>
The Trojan then monitors for access to the targeted banking Web site
login screens. When an access attempt is made, it injects its own HTML
snippet into the HTML returned by the bank Web server. The HTML snippet
injected causes the browser to display additional fields in the login
form for the user to enter in details such as the PIN, Social Security
Number, date of birth and so on.

When the user enters this information into the form and submits it, the
Trojan will take a copy of the data and then pass on the request to the
bank Web server. As a result the interception made by the Trojan is
transparent and seamless to the unsuspecting user.
</quote>

 

[Gary S. Terhune]

I should revise my statement: The virus you have apparently specifically
targets banking sites. Whether this includes online management sites of
credit cards (something I also use) is open to question. My concern is that
if you have/had this virus, what else may have gotten in that would gather
intelligence from your activities at other sites like online shopping sites,
credit card management sites, auto-paying of bills, etc.

 

[David H. Lipman]

From: "Gary S. Terhune" <none>

| I should revise my statement: The virus you have apparently specifically
| targets banking sites. Whether this includes online management sites of
| credit cards (something I also use) is open to question. My concern is that
| if you have/had this virus, what else may have gotten in that would gather
| intelligence from your activities at other sites like online shopping sites,
| credit card management sites, auto-paying of bills, etc.
|

Revise it again. It is a Trojan... *NOT a virus*.

 

[Gary S. Terhune]

Not sure I accept that there's much difference, <s>.

 

[David H. Lipman]

From: "Gary S. Terhune" <none>

| Not sure I accept that there's much difference, <s>.
|

You will have to.
By definition, since this malware does NOT self replicate, it is a Trojan and not a virus.

Call the Trojan; malware, infector or parasite but don't call it a "virus".

Just like you can't call Escherichia Coli (aka; E. Coli) a virus, you can't call
Troj/Bancban-PX (aka; Win32/Spy.Banker.NYJ , Trojan-Spy.Win32.Banker.tw , PWS-Banker.gen.h ,
W32/Banker.AFWA ) a virus.

 

[Gary S. Terhune]

I know that. The smiley was to indicate that I accept that there's that
slight difference in the two.

Hey, does your insistence on the difference mean that all those anti-*virus*
programs that detect and block/remove trojans are perpetrating a fraud, <s>?

 

[David H. Lipman]

From: "Gary S. Terhune" <none>

| I know that. The smiley was to indicate that I accept that there's that
| slight difference in the two.
|
| Hey, does your insistence on the difference mean that all those anti-*virus*
| programs that detect and block/remove trojans are perpetrating a fraud, <s>?
|

I'll admit that is confusing.

What is the border of anti virus software and anti spyware software ?
What's the cut-off ?
Where's the overlap ?
This is confusing to many both in the field and those that merely use a computer.

I read numerous posts where a statement like "the zlob trojan virus..." is made. This shows
confusion on the part of the poster. Then there is the actual anti virus software itself.
Say you test a given application using the EICAR Test File. I'll bet you the software will
log something like the "eicar test virus" or "virus: eicar test". What's the user to think
? Many applications will call the EICAR a virus. Yet you and I both now this 69~70 byte
file doesn't have a payload nor in any way shape or form self replicate.

This is the reason I like to explore this subject matter and try to push the exactness.
Through some discussion and diatribe we might be able to shed some light, in the thread, for
the readers.

It is getting to the point where everybody just calls *any* malware a virus.

BTW: I have to admit <s> was not interpreted as a smiley -- sorry.

 

[Gary S. Terhune]

Well, to further the discussion, is it not also true that trojans and
viruses have different goals? One to steal data and the other to wreck the
systems it infects? And whereas a virus can install a trojan, the obverse is
not true? Or are those lines also blurred?

 

[Gary S. Terhune]

PS -- Don't worry about the smiley thing. Fact is, I was jerking your chain,
<g>.

 

[Gary S. Terhune]

Here. You take over, <g>.