Beware a New Virus steals bank passwords and account details



 

A new virus has been found to be "spreading widely" in the Indian cyberspace which cleverly steals bank account details and passwords of the user once it is clicked.

Country's cyber security sleuths have alerted Internet users in the country about the new and suspected variant of malware family called 'Win32/Ramnit'.

virus275

"Ramnit worm spreads by infecting or modifying files existing on target systems such as (EXE, dll or html) and creating a new section so as to modify the entry point to that section," an advisory issued by country's premier cyber security agency -- Computer Emergency Response Team-India (CERT-In) -- said.

The malware, the advisory states, "steals credentials like file transfer protocol passwords, bank account logins, infects removable media, changes browser settings and downloads and executes arbitrary files".

The virus is so deadly and potent, cyber sleuths say, that it has ability to hide itself from anti-virus solutions and acquires various aliases to attack a genuine system or Internet-based connection which works to play emails and other user services.

The virus is such lethal in its operations that it "infects the removable media by copying itself to its recycle bin and creates an autorun.inf file," the advisory said.
Once the system is infected, the malware injects its code into windows executables, html files or dlls to communicate with its command and control server, thereby compromising the security of the online system.

Win32/Remnit: Win32/Ramnit is a family of multi-component malware that spreads to removable drives, steals sensitive information such as saved banking and FTPcredentials and browser cookies. The malware may also open a backdoor to await instructions from a remote attacker.

Win32/Ramnit may make lasting changes to your computer that make it difficult for you to download, install, run, or update your virus protection. For specific recovery information, please see the Additional recovery instructions below.

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. Microsoft   offers the following products to detect and remove this threat:

·       Microsoft Security Essentials or, for Windows 8, Windows Defender

·       Microsoft Safety Scanner

·       Microsoft Windows Malicious Software Removal Tool

Symptoms

System changes

The following system changes may indicate the presence of this malware:

·       Your antimalware or security product may not work correctly, or may not work at all

·       The presence of the following files:
  
"%TEMP%\wdexplore.exe"
"%TEMP%\svchost.exe
 

·       The presence of the following registry modifications:
  
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "<system folder>\userinit.exe, <malware folder path and file name>", for example "%ProgramFiles%\Microsoft\watermark.exe"  

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"

In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "AntiVirusOverride"
With data: "1"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Sets value: "Start"
With data: "4"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\WinDefend
Sets value: "Start"
With data: "4"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Sets value: "Start"
With data: "4"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Sets value: "EnableFirewall"
With data: "0"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc
Sets value: "Start"
With data: "4"

Recovery

Win32/Ramnit may make lasting changes to your computer that make it difficult for you to download, install, run, or update your virus protection. For specific recovery information, please see Using Windows Defender Offline below.

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

·       Microsoft Security Essentials  or, for Windows 8, Windows Defender

·       Microsoft Safety Scanner

·       Microsoft Windows Malicious Software Removal Tool

If you suspect your computer has been compromised, we recommend using the Windows Defender Offline to detect and remove this threat.

Using Windows Defender Offline

The way Windows Defender Offline works, is by allowing you to:

·       Download a copy of the tool from a computer that has access to the internet

·       Save a copy of the recovery tool to a removable drive, in order to create bootable media

·       Run the recovery tool on a compromised computer

You might want to use Windows Defender Offline when:

·       You need to scan your computer to check for rootkits and other malware

·       You are infected with malware that prevents you from downloading and installing an antivirus or the latest updates for your antivirus software

·       Your antivirus does not detect or remove advanced malware, such as a rootkit

Note: Windows Defender Offline is not a replacement for a full antivirus solution providing ongoing protection; it is meant to be used in situations where you cannot start or otherwise effectively scan your infected computer due to a virus or other malware actively running on the computer and impeding the effective action of antimalware software. For no-cost, real-time protection that helps guard your home or small business computers against viruses, spyware, and other malicious software, download Microsoft Security Essentials.

1.   Determine if you require the 32-bit or 64-bit download.
See the Microsoft Help and Support article for instructions on how to determine whether a computer is running a 32-bit version or 64-bitarchitecture of the Windows operating system.

2.   Using a computer that can connect to the internet, download the version of the Windows Defender Offline that applies to the affected computer.
If the affected computer is a: 
- 32-bit computer, then download the 32-bit version here
- 64-bit computer, then download the 64-bit version here.
Note: In order for the recovery tool to be effective, make sure you download the version that matches the architecture of the affected computer. For example, if your 64-bit desktop is affected, you will need to download the 64-bit version of the
Windows Defender Offline and save it to a removable drive.

3.   Save the downloaded file to a local drive on your computer.

4.   Launch the downloaded file, and create a bootable device by following the instructions on the wizard.
Note: We recommend creating a bootable USB or CD; if you create a bootable USB, this can be updated for future use.

5.   From the affected computer, boot from the USB or CD you created in step 4.
Note: You may need to set the boot order in the BIOS to do this. This will be device specific, so if you are unsure, refer to your system manual or manufacturer.

6.   Follow the prompts to run a full system scan.
Depending on the outcome of the scan, your next steps will vary. Follow the prompts from
Windows Defender Offline to manage any threat detections.

Steps you can take once your computer has been cleaned

·       Install security software, such as Microsoft Security Essentials, or any number of other products that provide a complete, real-time antivirus solution.

·       Keep your antivirus up to date by making sure you have the latest definitions.

 

Stay Safe……..

ABOUT THE AUTHOR
AbhiShek SinGh
Founder of 'TheHackingArticles'. Cyber Security Analyst, Cyber Security Researcher, and Software Engineer. Follow 'AbhiShek SinGh' on Facebook , Twitter or Google+ or via Email

Subscribe to stay up to date