2010年10月4日星期一

How to Detect and Remove the Trojan-Banker.Win32.Banbra

1. What is the Trojan-Banker.Win32.Banbra
Trojan-Banker.Win32.Banbra is a malicious Trojan designed to steal banking details. Trojan-Banker.Win32.Banbra uses stealth tactics to enter the PC before downloading other harmful files from the Internet. Trojan-Banker.Win32.Banbra steals financial data like credit card numbers and online banking login details by taking screen snapshots of user activity. Trojan-Banker.Win32.Banbra also downloads additional components and poses a severe security risk to computer safety.

a. File System Modifications
%AppData%\36383.js
%AppData%\hotfix.exe [file and pathname of the sample #1]
%AppData%\srsf.bat
Notes:
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
.
b. Memory Modifications
There were new processes created in the system:
Process Name
Process Filename
Main Module Size
[filename of the sample #1]
[file and pathname of the sample #1]
3,796,992 bytes
hotfix.exe
%AppData%\hotfix.exe
3,796,992 bytes
c. Registry Modifications
The following Registry Key was created:o HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
The newly created Registry Values are:o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]+ WarnOnPost = 0x00000000+ WarnOnZoneCrossing = 0x00000000+ WarnOnPostRedirect = 0x00000000+ WarnonBadCertRecving = 0x00000000o [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]+ Shell = "%AppData%\hotfix.exe"so that hotfix.exe runs every time Windows starts
The following Registry Value was deleted:o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]+ WarnOnPost = 01 00 00 00
d. Other details
The following port was open in the system:
Port
Protocol
Process
1053
UDP
[file and pathname of the sample #1]
There was registered attempt to establish connection with the remote host. The connection details are:
Remote Host
Port Number
85.234.191.174
80
The data identified by the following URL was then requested from the remote web server:
http://85.234.191.174/zz.php?id=t_a_d_01

2. How-to's
a. Please update the policy basic knowledge of Sax2 in time, Once sax2 detects the communication of these trojans, it will break them and ensure your network & business security.
b. How to Remove the Trojan-Banker.Win32.Banbra Manually?
Step 1 : The associated files of Trojan-Banker.Win32.Banbra.ukb to be deleted are listed below:%ProgramFiles%\Bulk Image Downloader\locale\zh_CHT\LC_MESSAGES%ProgramFiles%\Bulk Image Downloader\locale\zh_CHT%ProgramFiles%\Bulk Image Downloader\locale\zh_CHS\LC_MESSAGES%ProgramFiles%\Bulk Image Downloader\locale\zh_CHS%ProgramFiles%\Bulk Image Downloader\locale\uk\LC_MESSAGES%ProgramFiles%\Bulk Image Downloader\locale\uk%ProgramFiles%\Bulk Image Downloader\locale\tr\LC_MESSAGES%ProgramFiles%\Bulk Image Downloader\locale\tr%ProgramFiles%\Bulk Image Downloader\locale\sv\LC_MESSAGES%ProgramFiles%\Bulk Image Downloader\locale\sv%ProgramFiles%\Bulk Image Downloader\locale\sr\lc_messages%ProgramFiles%\Bulk Image Downloader\locale\sr%ProgramFiles%\Bulk Image Downloader\locale\sk\LC_MESSAGES%ProgramFiles%\Bulk Image Downloader\locale\skStep 2 : The registry entries of Trojan-Banker.Win32.Banbra.ukb that need to be removed are listed as follows:HKEY_CURRENT_USER\Software\Javasoft\ExHKEY_CURRENT_USER\Software\JavasoftHKEY_CURRENT_USER\Software\Antibody Software\Bulk Image DownloaderHKEY_CURRENT_USER\Software\Antibody SoftwareHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post PlatformHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User AgentHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Open current page with BID Link E&xplorerHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Open current page with BI&DHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Open &link target with BIDHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Enqueue link tar&get with BIDHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\En&queue current page with BIDHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExtHKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\Old_CurrentHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bulk Image Downloader_is1HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BulkImageDownloaderQueue\shell\open\commandHKEY_LOCAL_MACHINE\SOFTWARE\Classes\BulkImageDownloaderQueue\shell\openHKEY_LOCAL_MACHINE\SOFTWARE\Classes\BulkImageDownloaderQueue\shellHKEY_LOCAL_MACHINE\SOFTWARE\Classes\BulkImageDownloaderQueue\DefaultIconHKEY_LOCAL_MACHINE\SOFTWARE\Classes\BulkImageDownloaderQueueHKEY_LOCAL_MACHINE\SOFTWARE\Classes\BulkImageDownloader\shell\open\command
c. How to Remove these trojans Instantly?
Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

3. Appendix
For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

没有评论:

发表评论