1.0 DESCRIPTION

1.1 Overview

MyCERT was informed on 21st August 2000 about a fake Maybank2u page with the URL http://maybank2u.rvx.net. The fake page contains a downloadable malicious program claimed to be distributed for Maybank2u application. The malicious program was installed on the page in the form of a zip file, Maybank2u.zip, which upon extraction contains 2 executable files - maybank2u.exe and password.exe.

The file 'maybank2u.exe' believed to be the front-end or the user-interface program that will be used by the victim. The file 'password.exe' has a trojan horse binary, known to public as PSW.Kuang or PW.Steal.

1.2 Limitation

1.2.1 The worm will only be activated once the file password.exe is executed.

1.3 Aliases

The trojan is also known as PW.Steal.

2.0 TECHNICAL MATTERS

2.1 Installation and Functionality

Password.exe

Password.exe is supposed to be executed by users to get the password to extract maybank2u.exe. When executed, password.exe will drop two files into C:\WINNT\System32\ and/or C:\Windows\ that were identified as Temp$01.exe and Temp$01.dll. Temp$01.exe is a trojan horse binary known as PSW.Kuang or PW.Steal while Temp$01.dll is a Windows Dynamic Link Library used by Temp$01.exe.

Temp$01.exe need to be executed before it could perform its tasks, and for that Maybank2u.exe is used to execute Temp$01.exe. When users execute Maybank2u.exe to do e-banking, the program will hook Temp$01.exe and run it in the background. This could be witnessed by observing files accessed when Maybank2u.exe were executed.

Temp$01.exe will then sends the data it collected through a SMTP relay session using an open relay mail server. The email sent through this email server appears to be directed/relayed to an identified email account. Information sent were identified as dial-up networking properties which are the username and passwords.

Maybank2u.exe

Maybank2u.exe when executed will open a window prompting users to enter valid Maybank2u username and password, also Maybank2u PIN and access number. Access number is supposed to be users' ATM or Credit Card number and PIN is the PIN for ATM. When user enter any data in the fields, and click on the button, the program will open users' default browser, and connect to https://www.maybank2u.com.my using a SSL encrypted tunnel to port 443. This Maybank2u.exe program is used to execute 'C:\WINNT\System32\Temp$01.exe'. Please refer to section Password.exe above to understand what Temp$01.exe will do.

Process summary



1. User unzips Maybank2u.zip.

2. User run password.exe to get password to extract Maybank2u.exe and eventually will execute the trojan in the background.

3. Password.exe will drop two files to C:\WINNT\System32\ - Temp$01.exe and Temp$01.dll

4. Maybank2u.exe will open a web browser to https://www.maybank2u.com.my and silently hook and execute Temp$01.exe.

5. Temp$01.exe will collect dial-up information and send the information out through an open relay SMTP server.

3.0 POSSIBLE STEPS

3.1 Prevention

DO NOT execute the attachment " maybank2u.zip ".

Regularly update the virus definition file of your antivirus software and run a virus scan on the computer. This is to ensure that the software is able to detect the presence of a new virus. The list of known antivirus vendor can be found at:

http://www.mycert.mimos.my/anti-virus.htm

Always run a virus scan on any downloadable files before executing it. It is advisable that your antivirus software is running in "Auto Protect Mode" at all time.

3.2 Detection

The trojan virus in password.exe was detected by all 3 versions of Anti-virus used. If active monitoring feature of the anti-virus is enabled, the virus should be detected even before it is executed. The anti-viruses used are:

1. OfficeScan95 by Trend Micro (signatures dated 15/3/2000) detected 'TROJ_EXPLORE32.D'

2. Norton Anti-virus by Symantec (signatures dated 30/6/2000) detected 'Backdoor.Trojan'

3. InnoculateIT by Computer Associate (signatures dated 17/8/2000) detected 'PSW.Kuang.Trojan'

The Trojan virus in Temp$01.exe was also detected by all 3 versions of Anti-virus used. The viruses found are as follow:

1. OfficeScan95 by Trend Micro (signatures dated 15/3/2000) detected 'TROJ_PSW.weird'

2. Norton Anti-virus by Symantec (signatures dated 30/6/2000) detected 'PWSteal.trojan'

3. InnoculateIT by Computer Associate (signatures dated 17/8/2000) detected 'Win32/NertLog.A.Trojan'

The Trojan virus in Temp$01.exe was also detected by all 3 versions of Anti-virus used. The viruses found are as follow:

1. OfficeScan95 by Trend Micro (signatures dated 15/3/2000) detected 'TROJ_PSW.weird'

2. Norton Anti-virus by Symantec (signatures dated 30/6/2000) detected 'PWSteal.trojan'

3. InnoculateIT by Computer Associate (signatures dated 17/8/2000) detected 'Win32/NertLog.A.Trojan'

3.3 Removal

On the hosts, we can disable the trojan by deleting file Temp$01.exe and Temp$01.dll from C:\WINNT\System32 (WinNT, Win2K) and in C:\Windows and C:\Window\System (Win95/98) BEFORE the machine is rebooted. After rebooting, the trojan will reside in the memory and thus making the file deletion more difficult. The best way to disable/delete the infected files after rebooting is to use antivirus utilities.

4.0 MORE INFORMATION

To obtain more information on this virus, please refer to the following site :

4.1 Network Associates
http://vil.nai.com/vil/dispVirus.asp?virus_k=10513

4.2 Symantec Antivirus Research Center
http://www.symantec.com/avcenter/venc/data/pwsteal.trojan.html

4.3 Trendmicro
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PSW.WEIRD