How to Detect and Remvoe the Trojan-Banker.Win32.Banbra
Date: Oct 3rd, 2010 10:38:51 pm - Subscribe
Mood: daring


1. What is the Trojan-Banker.Win32.Banbra

Trojan-Banker.Win32.Banbra is a malicious Trojan designed to steal banking details. Trojan-Banker.Win32.Banbra uses stealth tactics to enter the PC before downloading other harmful files from the Internet. Trojan-Banker.Win32.Banbra steals financial data like credit card numbers and online banking login details by taking screen snapshots of user activity. Trojan-Banker.Win32.Banbra also downloads additional components and poses a severe security risk to computer safety.


a. File System Modifications

%AppData%\36383.js

%AppData%\hotfix.exe [file and pathname of the sample #1]

%AppData%\srsf.bat

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

.
b. Memory Modifications

There were new processes created in the system:
Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 3,796,992 bytes
hotfix.exe %AppData%\hotfix.exe 3,796,992 bytes
c. Registry Modifications

* The following Registry Key was created:
o HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run


* The newly created Registry Values are:
o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
+ WarnOnPost = 0x00000000
+ WarnOnZoneCrossing = 0x00000000
+ WarnOnPostRedirect = 0x00000000
+ WarnonBadCertRecving = 0x00000000
o [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
+ Shell = "%AppData%\hotfix.exe"

so that hotfix.exe runs every time Windows starts


* The following Registry Value was deleted:
o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
+ WarnOnPost = 01 00 00 00


d. Other details

*

The following port was open in the system:

Port Protocol Process
1053 UDP [file and pathname of the sample #1]

*

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host Port Number
85.234.191.174 80

*

The data identified by the following URL was then requested from the remote web server:
o http://85.234.191.174/zz.php?id=t_a_d_01


2. How-to's

a. Please update the policy basic knowledge of Sax2 in time, Once sax2 detects the communication of these trojans, it will break them and ensure your network & business security.
b. How to Remove the Trojan-Banker.Win32.Banbra Manually?

Step 1 : The associated files of Trojan-Banker.Win32.Banbra.ukb to be deleted are listed below:
%ProgramFiles%\Bulk Image Downloader\locale\zh_CHT\LC_MESSAGES
%ProgramFiles%\Bulk Image Downloader\locale\zh_CHT
%ProgramFiles%\Bulk Image Downloader\locale\zh_CHS\LC_MESSAGES
%ProgramFiles%\Bulk Image Downloader\locale\zh_CHS
%ProgramFiles%\Bulk Image Downloader\locale\uk\LC_MESSAGES
%ProgramFiles%\Bulk Image Downloader\locale\uk
%ProgramFiles%\Bulk Image Downloader\locale\tr\LC_MESSAGES
%ProgramFiles%\Bulk Image Downloader\locale\tr
%ProgramFiles%\Bulk Image Downloader\locale\sv\LC_MESSAGES
%ProgramFiles%\Bulk Image Downloader\locale\sv
%ProgramFiles%\Bulk Image Downloader\locale\sr\lc_messages
%ProgramFiles%\Bulk Image Downloader\locale\sr
%ProgramFiles%\Bulk Image Downloader\locale\sk\LC_MESSAGES
%ProgramFiles%\Bulk Image Downloader\locale\sk

Step 2 : The registry entries of Trojan-Banker.Win32.Banbra.ukb that need to be removed are listed as follows:
HKEY_CURRENT_USER\Software\Javasoft\Ex
HKEY_CURRENT_USER\Software\Javasoft
HKEY_CURRENT_USER\Software\Antibody Software\Bulk Image Downloader
HKEY_CURRENT_USER\Software\Antibody Software
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Open current page with BID Link E&xplorer
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Open current page with BI&D
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Open &link target with BID
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Enqueue link tar&get with BID
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\En&queue current page with BID
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\Old_Current
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bulk Image Downloader_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BulkImageDownloaderQueue\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BulkImageDownloaderQueue\shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BulkImageDownloaderQueue\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BulkImageDownloaderQueue\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BulkImageDownloaderQueue
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BulkImageDownloader\shell\open\command
c. How to Remove these trojans Instantly?

Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htmand download Malwarebytes' Anti-Malware to help you.


3. Appendix

For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm
Comments: (0)


Labtop World Template
Free Blog Hosting Join Today
Content Copyrighted devidhuang at Aeonity Blog
Comments:

ReCaptcha:

Posting as anonymous Anonymous guest, why not register, or login now.