NEWS Trojan attacks Microsoft anti-spyware

J

Just wondering

Do you think the anti spyware is still safe to use, or
should it be disabled or uninstalled?? I sure hope someone
would reply because I am not sure what to do. Do you
know "seagal" since you posted the alert?
 
B

Bill Sanderson

Here's Sopho's description of this critter:

http://www.sophos.com/virusinfo/analyses/trojbankasha.html

You will notice that its incidence is "low."

This virus does not infect Microsoft Antispyware files, it simply attempts
to disable Microsoft Antispyware real-time protection as part of its
operation.

I'd say keep Microsoft Antispyware installed and watch to be sure your
real-time protection (the icon in th system tray) is alive and well.
 
B

Bill Sanderson

Sophos are the only vendor reporting this as far as I know this morning. If
you have other facts we should all be aware of, please state them.
 
R

Richard

Seen on Symantec's site.
PWSteal.Bankash.A is a password-stealing Trojan horse that attempts to log
usernames and passwords from certain financial Web sites. The Trojan will
also attempt to disable Microsoft's AntiSpyware software.

Note: Virus definitions released prior to February 10, 2005 may detect this
threat as PWSteal.Trojan.


Also Known As: Trojan-Downloader.Win32.Small.ain [Kaspersky Lab],
PWS-Banker.j [McAfee], Troj/BankAsh-A [Sophos]

Type: Trojan Horse
Infection Length: 171,008 bytes



Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows NT, Windows Server 2003, Windows XP

Richard.
 
B

Bill Sanderson

Thanks!

http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.bankash.a.html
(symantec)
http://www.viruslist.com/en/viruses/encyclopedia?virusid=73190
(Kaspersky--no information)
http://vil.nai.com/vil/content/v_131329.htm (McAfee - PWS-Banker.j)
http://vil.nai.com/vil/content/v_131716.htm (McAfee - PWS-Banker.j.dll)


--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Richard said:
Seen on Symantec's site.
PWSteal.Bankash.A is a password-stealing Trojan horse that attempts to log
usernames and passwords from certain financial Web sites. The Trojan will
also attempt to disable Microsoft's AntiSpyware software.

Note: Virus definitions released prior to February 10, 2005 may detect
this threat as PWSteal.Trojan.


Also Known As: Trojan-Downloader.Win32.Small.ain [Kaspersky Lab],
PWS-Banker.j [McAfee], Troj/BankAsh-A [Sophos]

Type: Trojan Horse
Infection Length: 171,008 bytes



Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows NT, Windows Server 2003, Windows XP

Richard.
 
P

Phil Agcaoili

We're looking into this further. Unfortunately, my desktop
team may have gotten the employees working without fully
documenting the error messages they ran in to.

As I get more info, I'll post it.

Here's what I have currently, we have pilot going for
several hundred users. About a dozen machines this
morning spiked CPU to 100% and both Giant services were
pegged. They killed the services, uninstalled the Giant
software, ran A/V checks and Spybot against the infected
machines, and then reinstalled Giant.

The machies went back to normal, so as far as I've been
informed they did see a curious DLL error removing Giant
during the uninstall process.

Perhaps I'm being paranoid, but wanted to throw this out
to other beta testers since the Wednesday report that
hackers were targeting the Giant application:
http://news.com.com/2102-7349_3-5569429.html?
tag=st.util.print

-----Original Message-----
Thanks!

http://securityresponse.symantec.com/avcenter/venc/data/pw steal.bankash.a.html
virusid=73190
(Kaspersky--no information)
http://vil.nai.com/vil/content/v_131329.htm (McAfee - PWS- Banker.j)
http://vil.nai.com/vil/content/v_131716.htm (McAfee - PWS- Banker.j.dll)


--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

[email protected]...
Seen on Symantec's site.
PWSteal.Bankash.A is a password-stealing Trojan horse that attempts to log
usernames and passwords from certain financial Web sites. The Trojan will
also attempt to disable Microsoft's AntiSpyware software.

Note: Virus definitions released prior to February 10, 2005 may detect
this threat as PWSteal.Trojan.


Also Known As: Trojan-Downloader.Win32.Small.ain [Kaspersky Lab],
PWS-Banker.j [McAfee], Troj/BankAsh-A [Sophos]

Type: Trojan Horse
Infection Length: 171,008 bytes



Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows NT, Windows Server 2003, Windows XP

Richard.
m...

.
 
B

Bill Sanderson

What else is running at the time--What Antivirus, for example?

Since this is a trojan that doesn't spread in any automatic fashion I'm
skeptical about it being at the root of this issue, but it is entirely
appropriate to be careful and at best you've got a bug of some kind that may
make the product unsuitable in your environment 'til it can be fixed.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Phil Agcaoili said:
We're looking into this further. Unfortunately, my desktop
team may have gotten the employees working without fully
documenting the error messages they ran in to.

As I get more info, I'll post it.

Here's what I have currently, we have pilot going for
several hundred users. About a dozen machines this
morning spiked CPU to 100% and both Giant services were
pegged. They killed the services, uninstalled the Giant
software, ran A/V checks and Spybot against the infected
machines, and then reinstalled Giant.

The machies went back to normal, so as far as I've been
informed they did see a curious DLL error removing Giant
during the uninstall process.

Perhaps I'm being paranoid, but wanted to throw this out
to other beta testers since the Wednesday report that
hackers were targeting the Giant application:
http://news.com.com/2102-7349_3-5569429.html?
tag=st.util.print

-----Original Message-----
Thanks!

http://securityresponse.symantec.com/avcenter/venc/data/pw steal.bankash.a.html
virusid=73190
(Kaspersky--no information)
http://vil.nai.com/vil/content/v_131329.htm (McAfee - PWS- Banker.j)
http://vil.nai.com/vil/content/v_131716.htm (McAfee - PWS- Banker.j.dll)


--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

[email protected]...
Seen on Symantec's site.
PWSteal.Bankash.A is a password-stealing Trojan horse that attempts to log
usernames and passwords from certain financial Web sites. The Trojan will
also attempt to disable Microsoft's AntiSpyware software.

Note: Virus definitions released prior to February 10, 2005 may detect
this threat as PWSteal.Trojan.


Also Known As: Trojan-Downloader.Win32.Small.ain [Kaspersky Lab],
PWS-Banker.j [McAfee], Troj/BankAsh-A [Sophos]

Type: Trojan Horse
Infection Length: 171,008 bytes



Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows NT, Windows Server 2003, Windows XP

Richard.
m...
Sophos are the only vendor reporting this as far as I know this morning.
If you have other facts we should all be aware of, please state them.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

I think that there is more to this than the Sophos report.

-----Original Message-----
Here's Sopho's description of this critter:

http://www.sophos.com/virusinfo/analyses/trojbankasha. html

You will notice that its incidence is "low."

This virus does not infect Microsoft Antispyware files,
it simply attempts
to disable Microsoft Antispyware real-time protection as
part of its
operation.

I'd say keep Microsoft Antispyware installed and watch to
be sure your
real-time protection (the icon in th system tray) is
alive and well.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Just wondering" <[email protected]>
wrote in message
Do you think the anti spyware is still safe to use, or
should it be disabled or uninstalled?? I sure hope
someone
would reply because I am not sure what to do. Do you
know "seagal" since you posted the alert?


.


.
 
M

Mark L. Ferguson

Interesting thread. I would guess antispy will add itself to 'Windows File Protection', and this will be solved in the Gold version.
After antispy is running in real time protection, of course, it should already catch that as it installs

You can really see it coming. Longer and longer boot times, for 'slimeware' prevention.


Bill Sanderson said:
What else is running at the time--What Antivirus, for example?

Since this is a trojan that doesn't spread in any automatic fashion I'm skeptical about it being at the root of this issue, but it
is entirely appropriate to be careful and at best you've got a bug of some kind that may make the product unsuitable in your
environment 'til it can be fixed.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Phil Agcaoili said:
We're looking into this further. Unfortunately, my desktop
team may have gotten the employees working without fully
documenting the error messages they ran in to.

As I get more info, I'll post it.

Here's what I have currently, we have pilot going for
several hundred users. About a dozen machines this
morning spiked CPU to 100% and both Giant services were
pegged. They killed the services, uninstalled the Giant
software, ran A/V checks and Spybot against the infected
machines, and then reinstalled Giant.

The machies went back to normal, so as far as I've been
informed they did see a curious DLL error removing Giant
during the uninstall process.

Perhaps I'm being paranoid, but wanted to throw this out
to other beta testers since the Wednesday report that
hackers were targeting the Giant application:
http://news.com.com/2102-7349_3-5569429.html?
tag=st.util.print

-----Original Message-----
Thanks!

http://securityresponse.symantec.com/avcenter/venc/data/pw steal.bankash.a.html
virusid=73190
(Kaspersky--no information)
http://vil.nai.com/vil/content/v_131329.htm (McAfee - PWS- Banker.j)
http://vil.nai.com/vil/content/v_131716.htm (McAfee - PWS- Banker.j.dll)


--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

[email protected]...
Seen on Symantec's site.
PWSteal.Bankash.A is a password-stealing Trojan horse that attempts to log
usernames and passwords from certain financial Web sites. The Trojan will
also attempt to disable Microsoft's AntiSpyware software.

Note: Virus definitions released prior to February 10, 2005 may detect
this threat as PWSteal.Trojan.


Also Known As: Trojan-Downloader.Win32.Small.ain [Kaspersky Lab],
PWS-Banker.j [McAfee], Troj/BankAsh-A [Sophos]

Type: Trojan Horse
Infection Length: 171,008 bytes



Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows NT, Windows Server 2003, Windows XP

Richard.



m...
Sophos are the only vendor reporting this as far as I know this morning.
If you have other facts we should all be aware of, please state them.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

I think that there is more to this than the Sophos report.

-----Original Message-----
Here's Sopho's description of this critter:

http://www.sophos.com/virusinfo/analyses/trojbankasha. html

You will notice that its incidence is "low."

This virus does not infect Microsoft Antispyware files,
it simply attempts
to disable Microsoft Antispyware real-time protection as
part of its
operation.

I'd say keep Microsoft Antispyware installed and watch to
be sure your
real-time protection (the icon in th system tray) is
alive and well.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Just wondering" <[email protected]>
wrote in message
Do you think the anti spyware is still safe to use, or
should it be disabled or uninstalled?? I sure hope
someone
would reply because I am not sure what to do. Do you
know "seagal" since you posted the alert?


.







.
 
B

Bill Sanderson

My thought was that they would link to the Security Center in XP which would
alarm if Microsoft Antispyware goes away, but since everybody has requested
that anyway, it may be presumptious for me to publish that thought, so I
decided not to (until now!) That doesn't solve it for Windows 2000, though.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Mark L. Ferguson said:
Interesting thread. I would guess antispy will add itself to 'Windows File
Protection', and this will be solved in the Gold version. After antispy is
running in real time protection, of course, it should already catch that
as it installs

You can really see it coming. Longer and longer boot times, for
'slimeware' prevention.


http://www.geocities.com/marfer_mvp/chatNotes.htm
.
Bill Sanderson said:
What else is running at the time--What Antivirus, for example?

Since this is a trojan that doesn't spread in any automatic fashion I'm
skeptical about it being at the root of this issue, but it is entirely
appropriate to be careful and at best you've got a bug of some kind that
may make the product unsuitable in your environment 'til it can be fixed.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Phil Agcaoili said:
We're looking into this further. Unfortunately, my desktop
team may have gotten the employees working without fully
documenting the error messages they ran in to.

As I get more info, I'll post it.

Here's what I have currently, we have pilot going for
several hundred users. About a dozen machines this
morning spiked CPU to 100% and both Giant services were
pegged. They killed the services, uninstalled the Giant
software, ran A/V checks and Spybot against the infected
machines, and then reinstalled Giant.

The machies went back to normal, so as far as I've been
informed they did see a curious DLL error removing Giant
during the uninstall process.

Perhaps I'm being paranoid, but wanted to throw this out
to other beta testers since the Wednesday report that
hackers were targeting the Giant application:
http://news.com.com/2102-7349_3-5569429.html?
tag=st.util.print


-----Original Message-----
Thanks!

http://securityresponse.symantec.com/avcenter/venc/data/pw
steal.bankash.a.html
(symantec)
http://www.viruslist.com/en/viruses/encyclopedia?
virusid=73190
(Kaspersky--no information)
http://vil.nai.com/vil/content/v_131329.htm (McAfee - PWS-
Banker.j)
http://vil.nai.com/vil/content/v_131716.htm (McAfee - PWS-
Banker.j.dll)


--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

message
[email protected]...
Seen on Symantec's site.
PWSteal.Bankash.A is a password-stealing Trojan horse
that attempts to log
usernames and passwords from certain financial Web
sites. The Trojan will
also attempt to disable Microsoft's AntiSpyware
software.

Note: Virus definitions released prior to February 10,
2005 may detect
this threat as PWSteal.Trojan.


Also Known As: Trojan-Downloader.Win32.Small.ain
[Kaspersky Lab],
PWS-Banker.j [McAfee], Troj/BankAsh-A [Sophos]

Type: Trojan Horse
Infection Length: 171,008 bytes



Systems Affected: Windows 2000, Windows 95,
Windows 98, Windows Me,
Windows NT, Windows Server 2003, Windows XP

Richard.



"Bill Sanderson" <[email protected]>
wrote in message

m...
Sophos are the only vendor reporting this as far as I
know this morning.
If you have other facts we should all be aware of,
please state them.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Phil Agcaoili" <[email protected]>
wrote in message
I think that there is more to this than the Sophos
report.

-----Original Message-----
Here's Sopho's description of this critter:

http://www.sophos.com/virusinfo/analyses/trojbankasha.
html

You will notice that its incidence is "low."

This virus does not infect Microsoft Antispyware
files,
it simply attempts
to disable Microsoft Antispyware real-time protection
as
part of its
operation.

I'd say keep Microsoft Antispyware installed and
watch to
be sure your
real-time protection (the icon in th system tray) is
alive and well.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Just wondering" <[email protected]>
wrote in message
Do you think the anti spyware is still safe to use,
or
should it be disabled or uninstalled?? I sure hope
someone
would reply because I am not sure what to do. Do you
know "seagal" since you posted the alert?


.







.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top