Experts ID New Trojan as Bankhook.A

Reported on Tuesday by its filename img1big.gif, Bankhook.A is a keystroke logging trojan that typically poses as an image file to gain entrance into PCs to steal banking and financial information. Bankhook.A threatens Windows 2003, XP, 2000, NT, ME, 98 and 95 operating systems.

So far, Bankhook.A has only earned a moderate threat rating because of its infrequency. However, Panda Labs, a Glendale, Calif.-based security firm, has rated the trojan's damage potential as severe. Updated virus signatures for Bankhook.A can be found at Panda's Web site.

"Bankhook.A is a DLL [Dynamic Link Library] that registers itself in order to ensure it is run whenever the browser Internet Explorer is launched," according to a Panda Labs security alert.

Bankhook.A installs a Browser Helper Object (BHO) on Internet Explorer versions 4.X and higher. One of two sets of code in Bankhook.A performs the initial install, while the other performs the BHO install. Once the BHO is up, it seeks secure access to the URLs of several dozen banking and financial sites around the globe and "grabs any outbound POST/GET data from within IE before it is encrypted by SSL," according to John Bambenek, a handler at the Internet Storm Center, Bethesda, Md. The outbound data--which can include user names, passwords and credit card numbers--is sent over an HTTP connection created by Bankhook.A to the address http://www.refestltd.com/cgi-bin/yes.pl.

"Bankhook.A is difficult to recognize, as it does not display any messages or warnings that indicate it has reached the computer," according to Panda Labs.

Free software called BHODemon Definitive Solutions can assist administrators in identifying rogue BHOs installed on Windows systems, according to the Internet Storm Center's Bambenek.