How to Detect and Remove the Trojan-Banker.Win32.Banbra
1. What is the Trojan-Banker.Win32.Banbra
Trojan-Banker.Win32.Banbra is a malicious Trojan designed to steal banking details. Trojan-Banker.Win32.Banbra uses stealth tactics to enter the PC before downloading other harmful files from the Internet. Trojan-Banker.Win32.Banbra steals financial data like credit card numbers and online banking login details by taking screen snapshots of user activity. Trojan-Banker.Win32.Banbra also downloads additional components and poses a severe security risk to computer safety.
a. File System Modifications
%AppData%36383.js
%AppData%hotfix.exe [file and pathname of the sample #1]
%AppData%srsf.bat
Notes:
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:Documents and Settings[UserName]Application Data.
.
b. Memory Modifications
There were new processes created in the system:
Process Name
Process Filename
Main Module Size
[filename of the sample #1]
[file and pathname of the sample #1]
3,796,992 bytes
hotfix.exe
%AppData%hotfix.exe
3,796,992 bytes
c. Registry Modifications
The following Registry Key was created:
o HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
The newly created Registry Values are:
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
+ WarnOnPost = 0x00000000
+ WarnOnZoneCrossing = 0x00000000
+ WarnOnPostRedirect = 0x00000000
+ WarnonBadCertRecving = 0x00000000
o [HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon]
+ Shell = "%AppData%hotfix.exe"
so that hotfix.exe runs every time Windows starts
The following Registry Value was deleted:
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
+ WarnOnPost = 01 00 00 00
d. Other details
The following port was open in the system:
Port
Protocol
Process
1053
UDP
[file and pathname of the sample #1]
There was registered attempt to establish connection with the remote host. The connection details are:
Remote Host
Port Number
85.234.191.174
80
The data identified by the following URL was then requested from the remote web server:
http://85.234.191.174/zz.php?id=t_a_d_01
2. How-to's
a. Please updatethe policy basic knowledge of Sax2 in time, Once
sax2 detects the communication of these trojans, it will break them and ensure your network & business security.
b. How to Remove the Trojan-Banker.Win32.Banbra Manually?
Step 1 : The associated files of Trojan-Banker.Win32.Banbra.ukb to be deleted are listed below:
%ProgramFiles%Bulk Image Downloaderlocalezh_CHTLC_MESSAGES
%ProgramFiles%Bulk Image Downloaderlocalezh_CHT
%ProgramFiles%Bulk Image Downloaderlocalezh_CHSLC_MESSAGES
%ProgramFiles%Bulk Image Downloaderlocalezh_CHS
%ProgramFiles%Bulk Image DownloaderlocaleukLC_MESSAGES
%ProgramFiles%Bulk Image Downloaderlocaleuk
%ProgramFiles%Bulk Image DownloaderlocalerLC_MESSAGES
%ProgramFiles%Bulk Image Downloaderlocaler
%ProgramFiles%Bulk Image DownloaderlocalesvLC_MESSAGES
%ProgramFiles%Bulk Image Downloaderlocalesv
%ProgramFiles%Bulk Image Downloaderlocalesrlc_messages
%ProgramFiles%Bulk Image Downloaderlocalesr
%ProgramFiles%Bulk Image DownloaderlocaleskLC_MESSAGES
%ProgramFiles%Bulk Image Downloaderlocalesk
Step 2 : The registry entries of Trojan-Banker.Win32.Banbra.ukb that need to be removed are listed as follows:
HKEY_CURRENT_USERSoftwareJavasoftEx
HKEY_CURRENT_USERSoftwareJavasoft
HKEY_CURRENT_USERSoftwareAntibody SoftwareBulk Image Downloader
HKEY_CURRENT_USERSoftwareAntibody Software
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsUser AgentPost Platform
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsUser Agent
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMenuExtOpen current page with BID Link E&xplorer
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMenuExtOpen current page with BI&D
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMenuExtOpen &link target with BID
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMenuExtEnqueue link tar&get with BID
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMenuExtEn&queue current page with BID
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMenuExt
HKEY_CURRENT_USERAppEventsSchemesAppsExplorerNavigatingOld_Current
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallBulk Image Downloader_is1
HKEY_LOCAL_MACHINESOFTWAREClassesBulkImageDownloaderQueueshellopencommand
HKEY_LOCAL_MACHINESOFTWAREClassesBulkImageDownloaderQueueshellopen
HKEY_LOCAL_MACHINESOFTWAREClassesBulkImageDownloaderQueueshell
HKEY_LOCAL_MACHINESOFTWAREClassesBulkImageDownloaderQueueDefaultIcon
HKEY_LOCAL_MACHINESOFTWAREClassesBulkImageDownloaderQueue
HKEY_LOCAL_MACHINESOFTWAREClassesBulkImageDownloadershellopencommand
c. How to Remove these trojans Instantly?
Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.
3. Appendix
For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm
How to Detect and Remove the Trojan-Banker.Win32.Banbra
By: andy.J
Fast Easy Loans: Instant financial solution for everyone A Person Will Need to Show Many Things to a Bank for a Loan Modification Fast Installment Loans – Easy repayable Loan Offer Logbook Loans UK - Get Money in Simple Way Loans For Students-Instant Economical Solution For Students A Loan Modification Principal Reduction Can Help But Some Risks are Involved Short Term Installment Loans: Made for Emergencies!! Payday Loans UK – Short Term Money for Temporary Requirements Student Loans For Unemployed – Provides Reliable Financial Aid Cheque Book Loans - Take out Immediate Funds Sameday Loans for People on Benefits- Loan Against DSS Benefits Unsecured Cosmetic Surgery loans-Gain a perfect persona Here are the Facts about the FHA Mortgage Guidelines