Write-up by: Ka Chun Leung
Discovered on: January 20, 2005
Last Updated on: January 20, 2005 10:13:41 AM

PWSteal.Tarno.L is a password-stealing Trojan horse program that attempts to log information entered into web forms.

When PWSteal.Tarno.L is executed, it performs the following actions:


Creates the following files:


%System%\IEHelper.dll
%Temp%\data2451.tmp

Notes:
%System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).


Registers IEHelper.dll as a browser help object by creating the following registry keys:

HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj
HKEY_CLASSES_ROOT\CLSID\{FD8953C6-823F-46ab-8669-3B2BBF3A9210}

so that it executes every time Internet Explorer starts.


Monitors Internet Explorer for accesses to the following online bank sites:


Halifax
Royal Bank of Scotland
NatWest
Woolwich
Abbey National
HSBC
Barclays
Lloyds
Cahoot


When account information is entered for one of the aforementioned sites, it displays a false authentication page and logs the user's account details to %Temp%\data2451.tmp.


Sends the information to the host referenced in the following registry key:

HKEY_CLASSES_ROOT\CLSID\{FD8953C6-823F-46ab-8669-3B2BBF3A9210}\Server

Removal Instructions