How to Detect and Remvoe the Trojan-Banker.Win32.Banbra
Date: Oct 3rd, 2010 10:38:51 pm - Subscribe
Mood: daring

1. What is the Trojan-Banker.Win32.Banbra

Trojan-Banker.Win32.Banbra is a malicious Trojan designed to steal banking details. Trojan-Banker.Win32.Banbra uses stealth tactics to enter the PC before downloading other harmful files from the Internet. Trojan-Banker.Win32.Banbra steals financial data like credit card numbers and online banking login details by taking screen snapshots of user activity. Trojan-Banker.Win32.Banbra also downloads additional components and poses a severe security risk to computer safety.

a. File System Modifications


%AppData%\hotfix.exe [file and pathname of the sample #1]



%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

b. Memory Modifications

There were new processes created in the system:
Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 3,796,992 bytes
hotfix.exe %AppData%\hotfix.exe 3,796,992 bytes
c. Registry Modifications

* The following Registry Key was created:
o HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

* The newly created Registry Values are:
o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
+ WarnOnPost = 0x00000000
+ WarnOnZoneCrossing = 0x00000000
+ WarnOnPostRedirect = 0x00000000
+ WarnonBadCertRecving = 0x00000000
o [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
+ Shell = "%AppData%\hotfix.exe"

so that hotfix.exe runs every time Windows starts

* The following Registry Value was deleted:
o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
+ WarnOnPost = 01 00 00 00

d. Other details


The following port was open in the system:

Port Protocol Process
1053 UDP [file and pathname of the sample #1]


There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host Port Number 80


The data identified by the following URL was then requested from the remote web server:

2. How-to's

a. Please update the policy basic knowledge of Sax2 in time, Once sax2 detects the communication of these trojans, it will break them and ensure your network & business security.
b. How to Remove the Trojan-Banker.Win32.Banbra Manually?

Step 1 : The associated files of Trojan-Banker.Win32.Banbra.ukb to be deleted are listed below:
%ProgramFiles%\Bulk Image Downloader\locale\zh_CHT\LC_MESSAGES
%ProgramFiles%\Bulk Image Downloader\locale\zh_CHT
%ProgramFiles%\Bulk Image Downloader\locale\zh_CHS\LC_MESSAGES
%ProgramFiles%\Bulk Image Downloader\locale\zh_CHS
%ProgramFiles%\Bulk Image Downloader\locale\uk\LC_MESSAGES
%ProgramFiles%\Bulk Image Downloader\locale\uk
%ProgramFiles%\Bulk Image Downloader\locale\tr\LC_MESSAGES
%ProgramFiles%\Bulk Image Downloader\locale\tr
%ProgramFiles%\Bulk Image Downloader\locale\sv\LC_MESSAGES
%ProgramFiles%\Bulk Image Downloader\locale\sv
%ProgramFiles%\Bulk Image Downloader\locale\sr\lc_messages
%ProgramFiles%\Bulk Image Downloader\locale\sr
%ProgramFiles%\Bulk Image Downloader\locale\sk\LC_MESSAGES
%ProgramFiles%\Bulk Image Downloader\locale\sk

Step 2 : The registry entries of Trojan-Banker.Win32.Banbra.ukb that need to be removed are listed as follows:
HKEY_CURRENT_USER\Software\Antibody Software\Bulk Image Downloader
HKEY_CURRENT_USER\Software\Antibody Software
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Open current page with BID Link E&xplorer
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Open current page with BI&D
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Open &link target with BID
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Enqueue link tar&get with BID
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\En&queue current page with BID
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bulk Image Downloader_is1
c. How to Remove these trojans Instantly?

Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit download Malwarebytes' Anti-Malware to help you.

3. Appendix

For more information, please visit
Comments: (0)

Labtop World Template
Free Blog Hosting Join Today
Content Copyrighted devidhuang at Aeonity Blog


Posting as anonymous Anonymous guest, why not register, or login now.