Banker.FLO is a Trojan that monitors Internet traffic generated when the user accesses web pages related with online banks. The Trojan logs keystrokes made when logging into these financial websites and captures the user names and passwords, which are sent by email to the creator of the malicious code.

Banker.FLO cannot spread automatically using its own means and needs an attacker to distribute it. Typically it is spread using floppy disks, peer-to-peer networks, email messages, Internet downloads, etc. This Trojan is difficult to detect as it does not display any type of message warning of its presence.

The other Trojan reported is the TnegA.A. This is a backdoor Trojan that connects to a server in order to provide remote access to infected computers, compromising confidentiality and preventing users from operating the computer normally.

This malicious code prevents users from accessing certain web pages, in particular those belonging to antivirus companies, it also prevents certain monitoring and configuration tools from running, such as Windows Registry Editor.

TnegA.A requires the intervention of an attacker in order to spread. As is typical in this type of malware, it can propagate on a range of media including CD-ROMs, Internet downloads or IRC channels.

The IrcBot.AIV has backdoor characteristics, as it connects to an IRC to receive remote commands and execute them on the computer on which it is hosted. To infect other systems, this worm installs its own FTP server on the infected computer.

IrcBot.AIV uses two means of propagation. First it creates copies of itself in shared network resources to which it has access. Alternatively, it spreads across the Internet exploiting the LSASS, RPC DCOM, and UPnP vulnerabilities. For this reason, it is advisable to download the security patches that fix these vulnerabilities from Microsoft’s website.

Finally, the report ends with the WKSSVC malicious code, based on vulnerability in the WKSSVC.DLL file on computers with Windows XP/2000. If a computer is vulnerable to WKSSVC, it could allow hackers to run code remotely.

To fix this vulnerability, it is advisable to download and install the patch for the vulnerability in the Workstation Service, included in the Microsoft MS06-070 bulletin. This update can be downloaded free of charge from the following address:

Users wanting to know whether their computers have been attacked by these or other malicious code can use ActiveScan, the free solution available at This provides a complete inspection of computer viruses on the pc and is free of charge.