Virus Trojan Banker variant eludes antivirus programs and steals passwords

A virus goes undetected by popular antivirus programs and steals passwords!  I track it down and manually delete it.

Technical brief

A computer was misbehaving with Firefox locking up (Not Responding).  The problem turned out to be a virus, a variant of the Trojan Banker (Trojan.Banker).  This virus was actively stealing usernames and passwords for web sites.  It was not detected by the popular antivirus programs Malwarebytes, Microsoft Security Essentials, Microsoft Safety Scanner or Kaspersky Rescue Disk.  This Trojan Banker variant was hidden in a Firefox Add-on extension named “Java String Helper 1.0.”  The virus can be manually deleted.  See the “Manual removal of this virus” instructions below.

The detailed story

My client asked me to fix his computer because “the Internet was getting stuck all the time and he had to restart it constantly.”  I had him demonstrate what was bugging him.  Firefox was locking up soon after launching, becoming unresponsive to keystrokes or mouse clicks, showing an hour glass pointer and “(Not Responding)” in the title bar.  Closing Firefox would pop up the window “you have chosen to close an unresponsive program…” and reporting it to Microsoft yielded no solutions.

Otherwise the computer seemed to be running normally.  Internet Explorer was not having problems but I told him he was smart to use Firefox for his Internet browsing.

The computer was running XP Home and updates were enabled and up to date.  Microsoft Security Essentials was up to date.  Firefox was version 4.0.1, up to date.  The most interesting errors in the logs were the numerous “Application Hangs” of Firefox.

First I checked for malware by running my favorite anti-virus programs Microsoft Safety Scanner and Malwarebytes (after updating and full scan).

Microsoft Security Scanner found and removed 3 problems:  Trojan:Win32/coremhead, Trojan:Win32/Dynamer!dtc and TrojanDownloader:Java/OpenConnection.JS.

Malwarebytes found and removed 4 problems:  Trojan.Banker, Malware.Trace, Stolen.Data and Hijack.UserInit.

Malwarebytes scan results
Malwarebytes scan results.

This did not solve the problem – Firefox was still hanging up.

Some research with Google revealed that the Trojan Banker malware was a serious threat and had many variations.  The Trojan Banker virus’ mission was to steal usernames and passwords for financial web sites and to send the data back to the bad guys in Russia.

Malwarebytes “Stolen.Data” pointed to a folder in system32 (windows\system32 or %systemroot%\system32) named “xmldm.”   I checked the folder.  The folder had files that contained private logon information.   This computer was infected with a keystroke logger.  I contacted the client immediately and told him the web sites that were compromised and had him change his passwords on those sites.

The virus was still active.  I could delete the xmldm folder but running Firefox would recreate the folder.  Visiting Yahoo and testing a log on with username “test” and password “hello” would create files in the folder containing yahoo.com, test, and hello.  I cannot confirm if the private information was being relayed to the virus creators.  But I know the keystroke logger was active and capturing usernames and passwords.

The following tools also failed to clean the system:  SUPERAntiSpyware, Kaspersky Rescue Disk (found 6 problems:  Trojan-Spy.Win32.Agent.bpdv, Trojan-Banker.Win32.MultiBanker and Agent (5 versions)), BitDefender On Demand CD (found2 problems:  Gen:Variant.Kazy and Trojan.Generic.).

Before further work, I made an image backup of the hard disk.

I tried restoring the system to an earlier time with the System Restore utility, there were numerous system restore points, but they failed to restore the system (“…restore point failed. No changes have been made to the system”).

I ran scandisk and SpinRite to check the file system and disk integrity.   Pass.

More Google research revealed that there are many variants of the trojan banker.  2 pages suggested the trojan may be hidden in a Firefox Add-on extension.

Firefox Add-on manager showed 4 extensions: Java Quick Starter 1.0, Java String Helper 1.0, Java String Helper 1.0 (again) and Move Media Player 7.

Firefox Add-ons manager
Note the suspicous dual entry for "Java String Helper 1.0"

Internet searching suggested the first and last likely were valid but there was scant information on the Java String Helper 1.0 and one mention on a foreign language web site seemed to associate it with a virus.  Disabling the 4 extensions seemed to block the virus!  The folder xmldm was not created and Firefox would not collect usernames and passwords from Yahoo and write them in the folder.

Firefox extension information is stored in a database  \Documents and Settings\username\Application Data\Mozilla\Firefox\profies\x.default\extensions.sqlite.  This file can be opened, viewed and manipulated with the tool SQLite Database Browser.  The database revealed 7 entries:

extensions.sqlike
extensions.sqlike displayed by SQLite Database Browser. Note the suspicious entries 2,3,6,7

In this databasae, 3 entries seemed valid but 4 looked suspicious.  The 4 suspicious entries were essentially 2 entries duplicated.  The 2 entries pointed to folders in the system32 folder with the generic names “5012” and “5015.”  Inside these folders were text files that referred to files named AcroFF*, a filename associated with the trojan banker malware.

This was compelling information that a variant of the Trojan Banker malware was indeed hiding in a Firefox Add-on.  The malware was removed by deleting the suspect entries in the Firefox database extensions.sqlite with SQLite Dateabase Browser and deleting the suspect folders and contents in system32.

Manual removal of this virus

Manual removal of this virus was accomplished by deleting the virus containing Firefox Add-on extensions and the directories that they pointed to.

This process requires moderate computer experience.  Enable view hidden files.  Close Firefox to see the .sqlite database contents.  These directions are for Firefox 4 and Windows XP and Windows 7.  Note the paths to extensions.sqlite are different in the two operating systems and your paths may vary.  Always make a back up before you begin.

1. Finding your Firefox Add-on extensions:  Firefox  > Add-ons > Extensions tab, look for suspicious extensions and research them.  In this case, the virus was hiding in “Java String Helper 1.0.”  Note there is no Remove button.

Firefox Add-ons manager
Note the suspicous dual entry for "Java String Helper 1.0"

2.  Use the SQLite Database Browser to view and edit the Firefox extensions database.  Download SQLite Database Browser and unzip.  Use it to open the extensions.sqlite  (The paths for Windows XP and Windows 7 are different.  The italic typeface refers to path data that will be specific to your PC.) –

XP: \Documents and Settings\username\Application Data\Mozilla\Firefox\profies\xxxxxxx.default\extensions.sqlite

7: \Users\username\AppData\Roaming\Mozilla\Firefox\Profiles\xxxxxxxx.default\extensions.sqlite

Again look for suspicious extensions and research them.  Make note of the path and file as listed in the “descriptor” field.  In this case, the virus was in the folders  “5012” and “5015.”

extensions.sqlike
extensions.sqlike displayed by SQLite Database Browser. Note the suspicious entries 2,3,6,7

3.  Delete virus containing files, folders and entries in the extensions.sqlite database (the SQLite Database Browser allows you to delete records in the database).

4.  Test for removal of the virus.  In this case, the xmldm folder was no longer created when Firefox was started and password data was no longer written to that folder.

Conclusions

Antivirus programs do not catch all malware.  Even my favorites Microsoft Safety Scanner and Malwarebytes missed this trojan.

Not all malware is well documented.  This virulent variant has scant information about it on the Internet.

Any browser can be compromised.  Firefox is generally considered safer to use than Internet Explorer but here it was compromised.

With persistence and research it is possible to track down and manually delete a virus.

The same virus may go by different names depending on the antivirus company and the virus may have many variants.

References

These web sites refer to Trojan Banker keystroke logger viruses that seem similar to this case.

(1)  example of a Firefox Add-on extension password stealing trojan

(2)  ZeuS Banking Trojan info at Dell

(3) Gartner report of Firefox add-on banking trojan

(4)  Avira site mentions Java String Helper 1.0

Update history.

June 8, 2011.  Update Manual Removal section to include XP and 7 information.

Leave a Reply

Your email address will not be published. Required fields are marked *