Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-Phisher-SABanks.Gen


  • Please log in to reply
12 replies to this topic

#1 Tonito

Tonito

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 06 April 2009 - 09:38 PM

I was running a routine Full scan on my system with Webroot Spy Sweeper and it detected a trojan (seemingly) called "Trojan-Phisher-SABanks.Gen". I did some checking and I am wondering if this is so new that there isn't much info. on it yet or it is just a false positive. I searched Google and only found 4 entries and NONE of them were in English (which kind of made me think since there were only 4 entries on this that it may very well be a false positive). Webroot's description was this: "Trojan-Phisher-SABanks.Gen is a phishing Trojan that may harvest personal information such as usernames and passwords in order to access financial accounts." Webroot also said that: "Trojan-Phisher-SABanks.Gen may run silently in the background and log personal information entered into financial Web sites and may send this data to a malicious third party."
I am very aware of Trojans and use layering to protect my Win XP system. The last scan that I ran was on April 2 with Webroot and it didn't detect it then, only tonight (April 6). I will run my other programs, Norton, Spybot, MBAM, and Defender and see if any of them detects anything. Does anyone know if this is indeed something or not?? I would certainly appreciate any assistance and info. on this.
Thanks....Tonito

BC AdBot (Login to Remove)

 


#2 Chalky White

Chalky White

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 07 April 2009 - 04:59 AM

Hi will be fixed with def update 1422 of Spysweeper. False positive confirmed by Webroot support this morning, something to do with a reg key associated with Microsoft setup tool.

#3 NaiveMelodyNYC

NaiveMelodyNYC

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:24 AM

Posted 07 April 2009 - 05:23 AM

I got the same detection with my SpySweeper Anti-spyware 4-6-09, too. Just like Tonito I have Malwarebytes 1.36 new version/ upgrade- just installed where it required some 'registry' changes according to my ZoneAlarm firewall. I looked up "ms setup (acme)" and it has something to do with new application/ installation/ changes within the registry - so I'm thinking that Spyweeper may have found something within "our" Malwarebytes upgrade > (false positive). There is another google search posting where he too, had SpySweeper+Malwarebytes = this trojan -
click here > http://community.norton.com/norton/board/m...essage.id=45346 .
Thanks to Chalky White for posting the false positive. Question for him, how did it obtain such information?
I wish Webroot would start having an open fourm, so issues of updating/ problems/ etc. and these false positives could be 'verified' from the source instead of 'us' relying on these third party forums.

#4 Chalky White

Chalky White

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 07 April 2009 - 05:29 AM

Hey NMNYC, yes Webroot support said it was to do with the MS SETUP (ACME). I don't have any more info though, other than the 1422 def file release will stop these pesky alerts. I asked the support technician to recommend a subscription service to paying customers to alert us as soon as they realise they have a false-positive on their hands. Perhaps a Twitter feed, like the McAfeeAvertLabs one? :thumbsup:

#5 Mamaw

Mamaw

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 07 April 2009 - 08:27 AM

I'm glad I found this site..I was so worried when this "trojan-phisher-sabanks.gen" notice showed up on my scan..it's a relief to know it was a false positive. I love this site! :thumbsup:

#6 Tonito

Tonito
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 07 April 2009 - 09:11 AM

Very cool. Thanks very much to all that responded to my post about the Trojan-Phisher-SABanks.Gen. I kind of figured it was a False positive of some sort. By the by, obviously I quarantined what it found. Since this did have something to do with some MS setup tool, did Webroot say that one should un-quarantine this and put it back into the registry so that whatever it depends on will function normally again?

thanks....

#7 shadowsmom

shadowsmom

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:24 AM

Posted 07 April 2009 - 04:33 PM

Whew! Am I glad I found this forum. SpySweeper found it on my computer today, too. It Quarantined it and I deleted it. I decided to run a Full Scan only to find that it was still showing up on my computer.

Webroot hasn't gotten back to me on it yet....

I'm still a little concerned about it. Hope it's really nothing!

#8 toonces1

toonces1

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 07 April 2009 - 06:49 PM

I too have trojan-phisher-sabanks.gen found and quarantined by Webroot. Problem is, the computer froze up with the "quarantined" screen. :thumbsup:

#9 Worrier

Worrier

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 07 April 2009 - 09:13 PM

I too found the SABanks trojan on my spysweeper scan on 4/6/09. I had updated windows XP about a month before, ran several scans with no problems until the SABanks alert. I quarantined and deleted it. Now, I am not using Malwarebytes, still got the alert.... I wonder if you guys can help identifying this still as a possible false alarm, even without the malwarebytes, or should I start changing banks and credit card numbers? thanks for your help

#10 Tonito

Tonito
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 08 April 2009 - 03:04 PM

I updated my Webroot with their 1422 set of definitions last night and then ran another full scan of my system (the Trojan-Phisher-SABanks.Gen was still in Quarantine). It did NOT pick it up again so Chalky seems to be correct. By the by, Chalky, was Weboot sure that this was indeed a False positive though? Anyway, this was a very hefty definition and virus def. update because a couple things I did notice after this definition run was that on my full scan, it took like twice as long as it normally does to finish. Also, I noticed before running the scan and then seemingly all the way through it, the Internet Shield function in it wound up just finding and blocking a crap load of sites (to the tune of over 300)!! I haven't seen it go crazy like that as yet but, oh well. So, hopefully I am ok with this one as well. When I run a netstat -a I never noticed any unusal port numbers being active so that is another way to sometimes tell if you have a virus or trojan. I didn't notice any unusal activity there so again, hopefully it was false and we are OK. Thanks again for the posts. Keep them coming. I agree, this is a good Forum!
- Tonito

#11 zapfox

zapfox

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 09 April 2009 - 08:50 PM

I recently bought a warranty for a laptop from Best Buy and they performed a diagnostic and found "Trojan-Phisher-SABanks.Gen". Needless to say, I was more than a little concerned. The diagnostic report had this message at the bottom:

Webroot analysis tools scan users systems to uncover data on potential privacy threats. In connection with your use of the System Analyzer, Webroot Software warrants only that the information will be substantially accurate and complete. Webroot shall have no liability of any kind in connection with the acquisition, provision or use of any included information.

Is this instance of the "Trojan-Phisher-SABanks.Gen" a false positive as well, or could it be the real deal? Currently, none of my spyware removal programs (spybot S&D, Defender, etc) have found anything!

Thanks for any help you might offer!

#12 Tonito

Tonito
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 10 April 2009 - 10:25 AM

ZapFox:
I really don't know totally if this was/is a false positive or not. I left my entry in Quarantine and have updated the Webroot defs. twice now and run scans since the initial find. It hasn't found anything since. What I haven't done is release the Trojan-Phisher-SABanks.Gen from quarantine and then re-scan and see if it does detect it again as something malicious or pass it over as legitimate. I was hoping Chalky might put another post back on here about what Webroot said if indeed there was anything more from them on this. I am more than a little skiddish about releasing it from quarantine. However, if it is malicious, I would think that Webroot would pick it up again and if not, no harm done. I saved the log so I can always just manually delete these registry entries again anytime. It only showed 2 of them as infected. So, I like you would like to know if this was indeed a false positive or not. Chalky, any more info????? Please respond and let us know.
Thanks...

#13 NaiveMelodyNYC

NaiveMelodyNYC

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:24 AM

Posted 10 April 2009 - 11:47 PM

On 4-6-09 I initially quarantined but later 'restored' the file (early 4-7-09 am) after reading Chalky White's fp. Waited for the new Webroot definitions of #1422 of 4-7-09, rescanned and had 'no' detections ever since. With a 'leap of faith' there are no further issues to report; my anti-virus, Malwarebytes, Spysweeper detect nothing with everyday scanning.
Plus as I originally linked > http://community.norton.com/norton/board/m...essage.id=45346 < this Norton forum user claims 'false positive.'
If any of you would like to send out for 'free email Webroot tech support' and post back/ copy/paste their "official" response that would be good.

Tonito - when you keep it in quarantine - any new scans should normally not detect anything anyhow. The real test would be to 'restore' from quarantine and then run scans, as I have.

ZapFox, if BestBuy "had not updated" their software definitions to #1422 - that may be the cause of his particular issue; otherwise it's hard to say for certain. I can only speck of 'home users' who know if they had updated to 1422.

I can tell you as a fact - Webroot has had at least one true verified false positive in the past years since I've had Webroot; and it is not 'unusal' for most security software to have false positives or conflict with each other every now and then.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users