From; Sophos Alert System: Name: Troj/Banker-S Type: Trojan Date: 23 April 2004 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus. Customers using Enterprise Manager, PureMessage and any of the Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received just one report of this Trojan from the wild. Information about Troj/Banker-S can be found at: http://www.sophos.com/virusinfo/analyses/trojbankers.html Description Troj/Banker-S is a password stealing Trojan that attempts to capture keylogs associated with web browsing. Troj/Banker-S creates the following files which are all detected by this identity: <Windows>\dllreg.exe <Windows>\sock64.dll <StartUp>\rundllw.exe <Windows System>\load32.exe <Windows System>\vxdmgr32.exe In order to run on system restart Troj/Banker-S creates the following registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32 Troj/Banker-S adds the name of one of the copies of itself to the Run= line of win.ini and the shell= line of system.ini. Troj/Banker-S uses it's own SMTP engine to send results of the keylogger to a russian email address. This IDE file also includes detection for: W32/Agobot-LV http://www.sophos.com/virusinfo/analyses/w32agobotlv.html Troj/Legmir-L http://www.sophos.com/virusinfo/analyses/trojlegmirl.html Troj/Bdoor-BCQ http://www.sophos.com/virusinfo/analyses/trojbdoorbcq.html Troj/Dloader-O http://www.sophos.com/virusinfo/analyses/trojdloadero.html Troj/Navid-A http://www.sophos.com/virusinfo/analyses/trojnavida.html Troj/APS-TV http://www.sophos.com/virusinfo/analyses/trojapstv.html W32/Agobot-G http://www.sophos.com/virusinfo/analyses/w32agobotg.html Troj/Banker-W http://www.sophos.com/virusinfo/analyses/trojbankerw.html Download the IDE file from: http://www.sophos.com/downloads/ide/bankers.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html --------------------------------------------------------------------- Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see ~ http://www.mwn.ca <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> See my Anti-Virus pages <http://www3.telus.net/mikebike/mikes_virus_page.htm> <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance & OWTA Charter Member