Trend: Antispyware Killer - TROJ_ASH.A

TROJ_ASH.A is a destructive, memory-resident Trojan that terminates and deletes all files related to Microsoft Windows Antispyware. It also steals information related to online banking Web sites, by monitoring a user's Internet transactions at certain online banking sites. It runs on Windows 95, 98, ME, NT, 2000, and XP.

This memory-resident Trojan arrives in a system as the file ASH.DLL, in the Windows system folder. It may also be downloaded by the user from the Internet. Before installation, the Trojan checks whether Microsoft Windows Antispyware is installed. If found, it attempts to terminate and delete all files related to this application.

This Trojan steals information related to online banking Web sites, by monitoring the user’s Internet transactions and waiting for the user to access the following online banking sites:

* https://ibank.barclays.co.uk
* https://ibank.cahoot.com
* https://olb2.nationet.com
* https://online.lloydstsb.co.uk
* https://www.bankofscotlandhalifax-online.co.uk
* https://www.ebank.hsbc.co.uk
* https://www.ebank.hsbc.co.uk
* https://www.millenniumbcp.pt
* https://www.ukpersonal.hsbc.com

When the Trojan detects visits to any of these banking sites, it displays a spoofed .HTML page to trick the user into entering their account information. The stolen data is then sent to a remote user.

The Trojan then drops the following log files in the Windows folder, to store the information it gathers from the user:

* Email.log
* Pass.log
* Req.log

In addition to gathering user IDs and passwords, it also gathers email addresses found in the user's system. It gathers email addresses from files with the following extensions:

* .*ht*
* .adb
* .asp
* .dbx
* .doc
* .eml
* .msg
* .oft
* .ph*
* .pl*
* .rtf
* .tbb
* .tx*
* .uin
* .vbs
* .wab
* .xls
* .xml

This Trojan also terminates certain processes, and modifies the HOSTS files. These HOSTS files contain the mappings of IP addresses to host names. This file is loaded into the computer’s memory at startup. Windows checks this file before it connects to a requested Web site. If a requested Web site is listed in the HOSTS file, any attempt to connect to this site is redirected back to the local machine (which is your computer’s IP address). It also blocks other applications from connecting to the Internet, as long the Web site that it attempts to connect to, is listed in the HOSTS file.

HOSTS files are useful for blocking ads, banners, cookies, and known malicious Web sites. However, this technique is now being employed by various malware to prevent users from accessing antivirus and security related Web sites.

This Trojan adds many lines in the system's HOSTS file, preventing a user from accessing the listed Web sites. View the complete list of terminated processes and lines added.

If you would like to scan your computer for TROJ_ASH.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

TROJ_ASH.A is detected and cleaned by Trend Micro pattern file #2.497.00 and above.