Released on = April 13, 2006, 5:29 am

Press Release Author = Olga Gorshkova, StarForce

Industry = Software

Press Release Summary = Last week Kaspersky Lab. detected first bank trojan
Trojan-PSW.Win32.Agent.ew developed for bank info theft. Safe'n'Sec® proactive PC
protection developers analyzed trojan's behavior and made an expert decision -
Safe'n'Sec® blocks trojan's malicious actions.

Press Release Body = Last week Kaspersky Lab. detected first bank trojan
Trojan-PSW.Win32.Agent.ew developed for bank info theft. Safe'n'Sec® proactive PC
protection developers analyzed trojan's behavior and made an expert decision -
Safe'n'Sec® blocks trojan's malicious actions.
In particular Trojan-PSW.Win32.Agent.ew invaded into De Postbank (Netherlands)
computer network which is the last large bank in the country that uses TAN-codes.
New tendency in ordered malware development is the following - cyber-criminals have
turned their attention from fishing to trojan programs.
PSW (Password-Stealing-Ware) family of trojans steals various data from the infected
PC system passwords usually. After downloading this malware starts searching system
files with confidential content for ex. telephone numbers, Internet access passwords
etc. Gathered info is sent to e-mail address written in the trojan's code.
As far as Trojan-PSW.Win32.Agent.ew is concerned it starts its damaging activity
with including Internet Explorer into Windows brandmauer exclusion list through
register key creating:
\\REGISTRY\\MACHINE\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST\\C:\\PROGRAM
FILES\\INTERNET EXPLORER\\IEXPLORE.EXE All trojan's technical data is stored in
created register keys. Creating the keys Trojan-PSW.Win32.Agent.ew registers BHO
Internet Explorer under Software Installation Snapin Extenstion name and then allows
BHO extensions via key creation. Creating C:\\WINDOWS\\system32\\msnscps.dll file the
program conceals as the following system file:

Product version: 5.1.2600.2180
File version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Internal name: Software Installation Snapin Extenstion
Product name : Microsoft® Windows® Operating System
Publisher : Microsoft Corporation

After that the trojan starts gathering confidential data and e-mailing it to the
customer.

Trojan-PSW.Win32.Agent.ew is not dangerous for Safe'n'Sec®-protected PC as
Safe'n'Sec® after analyzing the trojan's behavior blocks system files changing and
BHO extensions adding.

About Safe'n'Sec®
Safe'n'Sec® provides the inner PC environment security as well as secure Internet
navigation. The program occupies minimum HDD (20 Mb) and uses no more than 2%
processor resources as it doesn't depend on signature updates. Being compatible and
successfully supplementing other IT security software Safe'n'Sec® provides constant
and reliable PC protection.

PR service
Olga Gorshkova
PR Director
StarForce
127106 Russia, Moscow
Altufievskoe shosse 5/2
Phone: +7 (095) 967-1451 ext. 236
E-mail: olga.gorshkova@star-force.com
http://www.star-force.сom


Web Site = http://www.star-force.com

Contact Details = 127106 Russia, Moscow
Altufievskoe shosse 5/2
Phone: +7 (095) 967-1451 ext. 236
E-mail: olga.gorshkova@star-force.com