Board logo

subject: How to Detect and Remove the Trojan-Banker.Win32.Banbra [print this page]

1. What is the Trojan-Banker.Win32.Banbra

Trojan-Banker.Win32.Banbra is a malicious Trojan designed to steal banking details. Trojan-Banker.Win32.Banbra uses stealth tactics to enter the PC before downloading other harmful files from the Internet. Trojan-Banker.Win32.Banbra steals financial data like credit card numbers and online banking login details by taking screen snapshots of user activity. Trojan-Banker.Win32.Banbra also downloads additional components and poses a severe security risk to computer safety.

a. File System Modifications

%AppData%36383.js

%AppData%hotfix.exe [file and pathname of the sample #1]

%AppData%srsf.bat

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:Documents and Settings[UserName]Application Data.

.

b. Memory Modifications

There were new processes created in the system:

Process Name

Process Filename

Main Module Size

[filename of the sample #1]

[file and pathname of the sample #1]

3,796,992 bytes

hotfix.exe

%AppData%hotfix.exe

3,796,992 bytes

c. Registry Modifications

The following Registry Key was created:

o HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun

The newly created Registry Values are:

o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings]

+ WarnOnPost = 0x00000000

+ WarnOnZoneCrossing = 0x00000000

+ WarnOnPostRedirect = 0x00000000

+ WarnonBadCertRecving = 0x00000000

o [HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon]

+ Shell = "%AppData%hotfix.exe"

so that hotfix.exe runs every time Windows starts

The following Registry Value was deleted:

o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings]

+ WarnOnPost = 01 00 00 00

d. Other details

The following port was open in the system:

Port

Protocol

Process

1053

UDP

[file and pathname of the sample #1]

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host

Port Number

85.234.191.174

80

The data identified by the following URL was then requested from the remote web server:

http://85.234.191.174/zz.php?id=t_a_d_01

2. How-to's

a. Please updatethe policy basic knowledge of Sax2 in time, Once sax2 detects the communication of these trojans, it will break them and ensure your network & business security.

b. How to Remove the Trojan-Banker.Win32.Banbra Manually?

Step 1 : The associated files of Trojan-Banker.Win32.Banbra.ukb to be deleted are listed below:

%ProgramFiles%Bulk Image Downloaderlocalezh_CHTLC_MESSAGES

%ProgramFiles%Bulk Image Downloaderlocalezh_CHT

%ProgramFiles%Bulk Image Downloaderlocalezh_CHSLC_MESSAGES

%ProgramFiles%Bulk Image Downloaderlocalezh_CHS

%ProgramFiles%Bulk Image DownloaderlocaleukLC_MESSAGES

%ProgramFiles%Bulk Image Downloaderlocaleuk

%ProgramFiles%Bulk Image DownloaderlocalerLC_MESSAGES

%ProgramFiles%Bulk Image Downloaderlocaler

%ProgramFiles%Bulk Image DownloaderlocalesvLC_MESSAGES

%ProgramFiles%Bulk Image Downloaderlocalesv

%ProgramFiles%Bulk Image Downloaderlocalesrlc_messages

%ProgramFiles%Bulk Image Downloaderlocalesr

%ProgramFiles%Bulk Image DownloaderlocaleskLC_MESSAGES

%ProgramFiles%Bulk Image Downloaderlocalesk

Step 2 : The registry entries of Trojan-Banker.Win32.Banbra.ukb that need to be removed are listed as follows:

HKEY_CURRENT_USERSoftwareJavasoftEx

HKEY_CURRENT_USERSoftwareJavasoft

HKEY_CURRENT_USERSoftwareAntibody SoftwareBulk Image Downloader

HKEY_CURRENT_USERSoftwareAntibody Software

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsUser AgentPost Platform

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsUser Agent

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMenuExtOpen current page with BID Link E&xplorer

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMenuExtOpen current page with BI&D

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMenuExtOpen &link target with BID

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMenuExtEnqueue link tar&get with BID

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMenuExtEn&queue current page with BID

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMenuExt

HKEY_CURRENT_USERAppEventsSchemesAppsExplorerNavigatingOld_Current

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallBulk Image Downloader_is1

HKEY_LOCAL_MACHINESOFTWAREClassesBulkImageDownloaderQueueshellopencommand

HKEY_LOCAL_MACHINESOFTWAREClassesBulkImageDownloaderQueueshellopen

HKEY_LOCAL_MACHINESOFTWAREClassesBulkImageDownloaderQueueshell

HKEY_LOCAL_MACHINESOFTWAREClassesBulkImageDownloaderQueueDefaultIcon

HKEY_LOCAL_MACHINESOFTWAREClassesBulkImageDownloaderQueue

HKEY_LOCAL_MACHINESOFTWAREClassesBulkImageDownloadershellopencommand

c. How to Remove these trojans Instantly?

Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

3. Appendix

For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

How to Detect and Remove the Trojan-Banker.Win32.Banbra

By: andy.J



welcome to Insurances.net (https://www.insurances.net) Powered by Discuz! 5.5.0   (php7, mysql8 recode on 2018)