TSPY_BANKER-2.001

Download the latest scan engine

TypeSpyware

In the wild: No

Destructive: No

Language: English

Systems affected: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Low

Reported detections:

Low

System  impact:

High

Information exposure:

High
 

Description:

This spyware can be downloaded from the Internet by unsuspecting users when visiting malicious Web sites.

Its variants display an error message that shows that the spyware file did not successfully execute.

TSPY_BANKER-2(error-message Behavior Diagram

(Note: It uses the file's name for its error message box title bar.)

This spyware monitors the Internet Explorer activities of an affected system. When a user accesses a Web site containing certain strings in its title bar, it opens a spoofed login Web page. It also opens a spoofed login Web page when a user accesses certain Web sites.

If a user visits any of the mentioned sites, the spyware duplicates the login portion of the legitimate Web site. The said routine tricks the user into giving out sensitive account-related information, such as user names and passwords, which this spyware gathers by logging user keystrokes.

The spoofed login replaces the legitimate login page, thus, tricking the user that the Internet Explorer window only has an error but that the user is still capable of logging in. The spoofed login page is located in a fixed area of the legitimate Web site.

This spyware targets any of the following online banking sites:

  • Banco Bradesco
  • Banco Caixa
  • Banco do Brasil
  • Banco Itau
  • Banco Real
  • Banco Serasa
  • Caixa Economica
  • Citibank
  • Equifax
  • Infoseg
  • Paypal
  • Santander Banespa
  • Serasa
  • Unibanco

It steals user names and passwords related to the affected user's online banking transactions. It then sends the data it gathers using its own Simple Mail Transfer Protocol (SMTP) server, gsmtp185.google.com, and smtp.mail.yahoo.com.

Having its own SMTP engine enables this spyware to send messages without using other email applications such as MS Outlook.



TECHNICAL DETAILS



File type: PE

Memory resident: Yes  

Compression type: Expressor, PECompact, Telock, Yoda�s Protector

File size: Varies

Payload 1Displays fake login console

Details:

Infection Points

This spyware can be downloaded from the Internet by unsuspecting users when visiting malicious Web sites.

Its variants use any of the following icons in order to trick the user into thinking that this spyware is a non-malicious file:

TSPY_BANKER-2(icon01) TSPY_BANKER-2(icon02) TSPY_BANKER-2(icon03) TSPY_BANKER-2(icon04) TSPY_BANKER-2(icon05) TSPY_BANKER-2(icon06) TSPY_BANKER-2(icon07) TSPY_BANKER-2(icon08) TSPY_BANKER-2(icon09) TSPY_BANKER-2(icon10) TSPY_BANKER-2(icon11) TSPY_BANKER-2(icon12) TSPY_BANKER-2(icon13) TSPY_BANKER-2(icon14) TSPY_BANKER-2(icon15) TSPY_BANKER_2_inst TSPY_BANKER_2_msn2 TSPY_BANKER_2_regedit TSPY_BANKER_2_update TSPY_BANKER_2_x

Installation and Autostart Techniques

Upon execution, this spyware displays an error message that shows that the spyware file did not successfully execute.

TSPY_BANKER-2(error-message Behavior Diagram)

TSPY_BANKER-2(error-message Behavior Diagram)

(Note: It uses the file's name for its error message box title bar.)

It drops any of the following files below as a copy of itself in the Windows, Windows system and Start Up folders.

  • %Windows%\Downloaded Program Files\Appstart.exe
  • %Windows%\Media\7u560.exe
  • 7u560.exe
  • ACER.exe
  • Avsgccs.scr
  • C:\WINDOWS\Downloaded Program Files\Appstart.exe
  • Debug\javaws.exe
  • disk10.exe
  • ExAlien.exe
  • Flash.exe
  • Help.exe
  • HelpDesk.exe
  • imgrt.scr
  • LNK_DADOS_1.DLL
  • MICROSOFTUPDATE.EXE
  • MICROSOFTUPDATE02.EXE
  • MICROSOFTUPDATE03.EXE
  • MICROSOFTUPDATE04.EXE
  • MICROSOFTUPDATE05.EXXXXXXE
  • Media\ww7zip.exe
  • Mscheldbnp.scr
  • Mscheldncx.scr
  • MsMsgr.exe
  • MsnMsgr.exe
  • Mwsx.exe
  • My_Love.exe
  • Nostd.scr
  • Plugin.scr
  • Rundll.exe
  • Sms.exe
  • Svchost.exe
  • sysk.exe
  • WINDOWSUPDATE.EXE
  • Wapp.exe
  • Windll.exe
  • Wsmi.exe
  • avp.exe
  • bsyys.scr
  • csrrs.exe
  • ctfmonm.exe
  • drivers\System.exe
  • jusched.exe
  • msmsgr.exe
  • ntokrnl.exe
  • scvhost.exe
  • service.exe
  • smss.exe
  • system32.exe
  • systray.scr
  • update.cmd
  • win.scr
  • windows.exe
  • windows32.exe
  • winutade.exe
  • wsnctfy.exe
  • {Executed malware file name}.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT. {Executed malware file name} is the file name of the malware when first executed in the system.)

It also drops copies in a hardcoded path and file name:

  • C:\WINDOWS\Debug\jusched.exe
  • C:\Windows\Avsgccs.scr
  • C:\Windows\Mwsx.scr
  • c:\windows\Helper.exe

If the said directory does not exist, this spyware fails to drop the said copy.

This .EXE file creates the following registry keys and entries to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
7u560 = "%System%\7u560.exe"
7u560 = "%Windows%\Media\7u560.exe"
Appstart = "%Windows%\Downloaded Program Files\Appstart.exe"
Appstart = "C:\WINDOWS\Downloaded Program Files\Appstart.exe"
Desknot = "{Malware path and file name}"
Flash = "C:\Arquivos de programas\Flash.exe"
GlobalFlagACER = "%System%\ACER.exe"
HelpDesk = "%Windowwws%\HelpDesk.exe"
ISS = "%System%\svchost.exe"
JavaScriptMs = "%Windows%\Mwsx.exe"
JavaScriptMs = "C:\Windows\Mwsx.scr"
MicrosoftUpdate = "%System%\MicrosoftUpdate.exe"
MicrosoftUpdate02 = "%System%\MicrosoftUpdate02.exe"
MicrosoftUpdate03 = "%System%\MicrosoftUpdate03.exe"
MicrosoftUpdate04 = "%System%\MicrosoftUpdate04.exe"
MicrosoftUpdate05 = "%System%\MicrosoftUpdate05.exe"
MsMsgr = "%system%\MsMsgr.exe"
MsnMsg = "%System%\MsnMsgr.exe"
MultifunctionAdapter = "%System%\{Executed malware file name}.exe"
My_Love = "C:\Arquivos de programas\My_Love.exe"
OKGO = "%Windows%\winutade.exe"
ServicesPack2 = "c:\windows\Helper.exe"
Servicos = "%System%\drivers\System.exe"
SunJavaUpdateSched = "C:\WINDOWS\Debug\jusched.exe"
SymantecFilterCheck = "%System%\svchost.exe"
Sysk = "%Windows%\sysk.exe"
WinReg.2 = "%System%\Mscheldbnp.scr"
WinRegncx = "%System%\Mscheldncx.scr"
Windows = "%Windows%\Avsgccs.scr"
Windows = "C:\Windows\Avsgccs.scr"
Windows32 = "C:\Arquivos de programas\System\Windows32.exe"
Windowsupdate = "C:\Arquivos de programas\Windowsupdate.exe"
Wsmi = "%System%\Wsmi.exe"
avp = "%Windows%\avp.exe"
dark = "%System%\imgrt.scr"
golbola = "C:\Arquivos de progromas\windows32.exe"
help = "C:\Arquivos de programas\help.exe"
hotdlll = "%System%\update.cmd"
imgrt = "%System%\imgrt.exe"
morlvs= "C:\Arquivos de programas\morlvs.exe"
msig = "%System%\disk10.exe"
nostd = %System%\nostd.exe"
ntokrnl = "%System%\ntokrnl.exe"
scvhost = "%System%\scvhost.exe"
smss = "%Windows%\smss.exe"
svchost = "%Windows%\svchost.exe"
symanteccsysconf = "%System%\bsyys.scr"
system32 = "%System%\system32.exe"
w7zip = "%Windows%\Media\w7zip.exe"
wapp = "C:\Arquivos de programas\Wapp.exe"
windows = %System%\windows.exe"

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
boby = "%System%\Isass.scr"
csrrs = %System%\csrrs.exe
dark = "%System%\imgrt.exe"
dark = "%System%\imgst.scr"
Desknot = "{Malware path and file name}"
systray = "%System%\systray.scr"
svchost = "{malware path and file name}"
svchost = "%System%\svchost.exe"

HKEY_LOCAL_MACHINE\Software\Miccrosoft\
Windows\CurrentVersion\Run
shell = "%System%\sms.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Runonce
Desknot = "{Malware path and file name}"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\RunServices
Desknot = "{Malware path and file name}"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\RunServices
Desknot = "{Malware path and file name}"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GbpSv
ImagePath = explorer %Windows%\service.exe
ImagePath = explorer %Windows%\ctfmonm.exe
ImagePath = explorer %Windows%\svchost.exe
ImagePath= explorer %Windows%\windll.exe

It also modifies the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon
Shell = explorer %Windows%\service.exe
Shell = explorer %Windows%\ctfmonm.exe
Userinit = "%System%\userinit.exe, {Malware path and file name}"

(Note: The default value data of the aforementioned registry entry is %System%\userinit.exe,.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon
Shell = explorer.exe %Windows%\svchost.exe
Shell = explorer.exe %Windows%\windll.exe

It adds the following misleading registry entry:

HKEY_CLASSES_ROOT\Software\Microsoft\Windows\
CurrentVersion\Run
Rundll = %System%\Rundll.exe

It adds itself on the firewall settings to prevent its mailing routine to be blocked:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\
Parameters\FirewallPolicy\StandardProfile\
AuthorizedApplications\List\%windows%\Debug\
javaws.exe = %Windows%\Debug\javaws.exe:*:Enabled:Java Run Time (JRE)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\
Parameters\FirewallPolicy\StandardProfile\
AuthorizedApplications\List
{Malware path and file name} = "{Malware path and file name}:*:Enabled:shinsuw"
{Malware path and file name} = "{Malware path and file name}:*:Enabled:NTHxus"

It also adds the following registry keys as part of its installation routine:

HKEY_CURRENT_USER\SymantecFilterCheck

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Status
status = "{Malware path and file name}"

It also creates/overwrites the file AUTOEXEC.BAT in C:\ with the following commands:

@echo off
del c:\windows\downlo~1\gb*.*
del c:\windows\downlo~1\*.g??
del c:\windows\downlo~1\g*.*
del c:\arquiv~1\GbPlugin\
del c:\arquiv~1\GbPlugin\g*.*

The above lines are capable of deleting certain files in the infected system.

Information Theft Routine

This spyware monitors the Internet Explorer activities of an affected system. When a user accesses a Web site containing any of the following strings in its title bar, it opens a spoofed login Web page:

  • [bb.com.br] - Microsoft Internet Explorer
  • [bb.com.br] - Windows Internet Explorer
  • B a n k l I n e
  • Banco ABN AMRO Real
  • Banco ABN AMRO Real - Portal Brasil - Microsoft Internet Explorer
  • Banco Bradesco S/A – Atualiza
  • Banco Bradesco S/A - Microsoft Internet Explorer
  • Banco Bradesco S/A - Windows Internet Explorer
  • Banco do Brasil
  • Banco Ita
  • Banco Itau - Feito Para Voc - Microsoft Internet Explorer
  • Banco Itau - Feito Para Voc - Windows Internet Explorer
  • Banco Itau - Microsoft Internet Explorer
  • Banco Nossa Caixa S.A
  • Banco Nossa Caixa S.A - Microsoft Internet Explorer
  • Banco Sudameris S.A. - Microsoft Internet Explorer
  • Banco Sudameris S/A
  • Banco Sudameris S.A. - Microsoft Internet Explorer
  • Bradesco - Colocando voc
  • Bradesco Internet Banking
  • Bradesco Prime - Microsoft Internet Explorer
  • Bradesco Prime - Windows Internet Explorer
  • Caixa Economica
  • CitiBank
  • CrediCard
  • Credicard Ita Portal - Microsoft Internet Explorer
  • CREDICARDCITI
  • Equifax - Solu es para Gesto de Risco - Microsoft Internet Explorer
  • Gerenciador Financeiro
  • HSBC Bank Brasil S.A.- No Brasil e no mundo, HSBC.Internet Explorer
  • http://www.caixa.com.br/ - Windows Internet Explorer
  • https://netbanking2.banespa.com.br - Microsoft Internet Explorer
  • https://wwwss.bradesco.br – Bradesco Internet Banking
  • https://wwwss.bradesco.com.br - Banco Bradesco S/A
  • https://wwwss.bradesco.com.br - Bradesco S/A - Microsoft Internet Explorer
  • Internet Banking - Banespa
  • Internet Banking - CitiBank
  • Internet Banking - HSBC
  • Internet Banking Caixa
  • Internet Banking CAIXA - Microsoft Internet Explorer
  • Itau Banking
  • Net Bradesco
  • Net Bradesco PARA PATY
  • Nossa Caixa
  • Portal BANCO REAL - ABN AMRO - Microsoft Internet Explorer
  • Portal BANCO REAL - ABN AMRO - Windows Internet Explorer
  • Portal Cetelem - Microsoft Internet Explorer
  • REDE INFOSEG - SENASP - Teclado Virtual - Microsoft Internet Explorer
  • Sant/Ban
  • Santander - Microsoft Internet Explorer
  • Santander - Windows Internet Explorer
  • Santander Banespa - Microsoft Internet Explorer
  • Serasa - Empresa - Microsoft Internet Explorer
  • Unibanco
  • Unibanco.com
  • Unibanco.com - Microsoft Internet Explorer
  • Welcome - Paypal - Microsoft Internet Explorer
  • Welcome - Paypal - Windows Internet Explorer

It also opens a spoofed login Web page when a user accesses the following Web sites:

  • http: //www.sudameris.com.br/
  • http://www.bancoreal.com.br/
  • http://www.bancorural.com.br/
  • http://www.bankboston.com.br/
  • http://www.bb.com.br/appbb/portal/bb/ds/acesso.jsp
  • http://www.bb.com.br/appbb/portal/bb/pp/index.jsp
  • http://www.bb.com.br/appbb/portal/bb/simp/DetalheNoticia.jsp?Noticia.codigo=150418
  • http://www.bb.com.br/appbb/portal/fz2/index.jsp
  • http://www.bb.com.br/appbb/portal/gov/Censo.jsp
  • http://www.bb.com.br/appbb/portal/hs/crediario/index.jsp
  • http://www.bb.com.br/appbb/portal/ip/srv2/DebitoAutomatico.jsp
  • http://www.bb.com.br/appbb/portal/on/cap/index.jsp
  • http://www.bb.com.br/appbb/portal/on/prv/PortalPRV.jsp
  • http://www.bb.com.br/appbb/portal/on/seg/index.jsp
  • http://www.bb.com.br/appbb/portal/voce/cons/index.jsp
  • http://www.bb.com.br/appbb/portal/voce/ep/car/CartoesVoce.jsp
  • http://www.bb.com.br/appbb/portal/voce/ep/srv2/index.jsp
  • http://www.bb.com.br/appbb/portal/voce/ep/srv2/TransCel.jsp
  • http://www.bb.com.br/appbb/portal/voce/fin/fnc/Veiculos.jsp
  • http://www.bb.com.br/appbb/portal/voce/fin/index.jsp
  • http://www.bb.com.br/appbb/portal/voce/mcif/mcifi.jsp
  • http://www.bradesco.com.br/
  • http://www.bradescoprime.com.br/
  • http://www.caixa.com.br/_redirect/links/r_internetcaixa.asp
  • http://www.cef.com.br/
  • http://www.equifax.com.br/
  • http://www.nossacaixa.com.br/
  • http://www.safra.com.br/portuguese/index.asp
  • http://www.safranet.com.br/
  • http://www.santanderbanespa.com.br/portal/gsb/script/templates/GCMRequest.do?page=50
  • http://www.serasa.com.br
  • http://www.sudameris.com.br/
  • http://www.unibanco.com.br/
  • https://bankline.itau.com.br/GRIPNET/gracgi.EXE
  • https://bradesconetempresa.com.br
  • https://ibpf.unibanco.com.br/index.asp
  • https://internetbanking.caixa.gov.br/SIIBC/index.processa
  • https://internetcaixa.caixa.gov.br/NASApp/SIIBC/doc.processa
  • https://internetcaixa.caixa.gov.br/NASApp/SIIBC/extrato.processa
  • https://internetcaixa.caixa.gov.br/NASApp/SIIBC/pagto_bloqueto.processa
  • https://internetcaixa.caixa.gov.br/NASApp/SIIBC/pagto_concessionaria.processa
  • https://internetcaixa.caixa.gov.br/NASApp/SIIBC/saldo.processa
  • https://internetcaixa.caixa.gov.br/NASApp/SIIBC/ted.processa
  • https://internetcaixa.caixa.gov.br/NASApp/SIIBC/transferencia.processa
  • https://latinamerica.citibank.com/BRGCB/JSO/signon/ProcessUsernameSignon.do?SYNC_TOKEN=4f983861d81a35587292eba5c04fc56a&username=
  • https://office.bancobrasil.com.br/gov/carregagoverno
  • https://office.bancobrasil.com.br/servlet/carregaoffice
  • https://portal.credicardciti.com.br/wps/ControllerBaseServlet?acao=Logon&userid=
  • https://www.creadicarditau.com.br/portals/credicardportal/cadastrese/login.jsp
  • https://www.credicardciti.com.br/portals/credicardportal/cadastrese/login.jsp
  • https://www.credicardciti.com.br/portals/credicardportal/cadastrese/login.jsp
  • https://www2.bancobrasil.com.br/aapf/aai/login.pbk?loginCertA3=true
  • https://www2.bancobrasil.com.br/aapf/aai/login.pbk?loginSCD=true
  • https://www2.bancobrasil.com.br/aapf/aai/principal
  • https://www2.bancobrasil.com.br/aapf/extratos/000901.jsp?codT=0
  • https://www2.bancobrasil.com.br/aapf/login.jsp
  • https://www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim
  • https://www2.realsecureweb.com.br/scripts/engine_brpi.dll?
  • https://www2.rural.com/br/RurallBank/principal.asp
  • https://wwws.nossacaixa.com.br/bemvi4
  • https://wwws.nossacaixa.com.br/bemvindo.asp
  • https://wwws.nossacaixa.com.br/logincheck.asp?Submiting=true&hidDgCtaCons=&hidDigFichaComp=&str30LoginName=
  • SESSAO=e7FucYMLde2dG77&STATUS=5&INDICE=46&
  • www.bancodaamazonia.com.br/
  • www.bancoreal.com.br/
  • www.brasdes.com.br/
  • www.nossacaixa.com.br/
  • www.unibanco.com.br/

If a user visits any of the mentioned sites, the spyware duplicates the login portion of the legitimate Web site. The said routine tricks the user into giving out sensitive account-related information, such as user names and passwords, which this spyware gathers by logging user keystrokes.

The spoofed login overlaps the legitimate login area of the Web site, thus tricking the user into thinking that it is part of the IE window. The spoofed login page is located in a fixed area of the legitimate Web site, therefore, when the screen area setting of the monitor is changed, it is revealed that the spoofed login page overlaps the legitimate login page. Also, when logging in the spoofed page, it is noticeable that the title bar does not behave like normal active window title bars.

It also opens a spoofed login Web page when a user accesses the following Web sites with these substrings:

  • .realsecureweb.com.br
  • aapf/aai/login.pbk
  • antandernet.c
  • banes
  • bbr
  • BKL.DLL
  • bklcom.dll
  • br/SIIBC/altera_
  • br/SIIBC/cdc.p
  • br/SIIBC/cidadao.p
  • br/SIIBC/cod_verificador_cartao.p
  • br/SIIBC/cons_debito.p
  • br/SIIBC/consulta
  • br/SIIBC/debito.p
  • br/SIIBC/deposito_
  • br/SIIBC/doc.p
  • br/SIIBC/extrato.p
  • br/SIIBC/extrato_futuro.p
  • br/SIIBC/extrato_periodo.p
  • br/SIIBC/fatura_cartao.p
  • br/SIIBC/gerenciar.do
  • br/SIIBC/gps_cod_barra.p
  • br/SIIBC/home.p
  • br/SIIBC/inf_rend_selecao_conta.p
  • br/SIIBC/informacao_cartao.p
  • br/SIIBC/money.p
  • br/SIIBC/pagto_
  • br/SIIBC/pagto_bloqueto.p
  • br/SIIBC/produtos.do
  • br/SIIBC/saldo.p
  • br/SIIBC/saldo_limite_cartao.p
  • br/SIIBC/semAcesso.p
  • br/SIIBC/solicita_
  • br/SIIBC/ted.p
  • br/SIIBC/transacoes.p
  • br/SIIBC/transferencia.p
  • br/SIIBC/venda_capitalizacao.p
  • bradesco
  • caixa
  • ChecarConta.asp
  • controllers/homepage.do
  • Desco
  • Empresarial.unibanco.com.br/index.asp
  • gracgi.exe
  • GRIPNET/gracgi.exe
  • ib2k1.dll/TAC/VRFSENHAATUAL
  • Ita
  • Nossa Caixa
  • Santander Banespa
  • Sb
  • banking
  • bb
  • blue
  • citi
  • citi bank
  • gf
  • hsbc
  • it
  • Microsoft Internet Explorer
  • NASApp/SIIBC/altera_
  • NASApp/SIIBC/cdc.p
  • NASApp/SIIBC/cidadao.p
  • NASApp/SIIBC/cod_verificador_cartao.p
  • NASApp/SIIBC/cons_debito.p
  • NASApp/SIIBC/consulta
  • NASApp/SIIBC/debito.p
  • NASApp/SIIBC/deposito_
  • NASApp/SIIBC/doc.p
  • NASApp/SIIBC/extrato.p
  • NASApp/SIIBC/extrato_futuro.p
  • NASApp/SIIBC/extrato_periodo.p
  • NASApp/SIIBC/fatura_cartao.p
  • NASApp/SIIBC/gerenciar.do
  • NASApp/SIIBC/gps_cod_barra.p
  • NASApp/SIIBC/home.p
  • NASApp/SIIBC/inf_rend_selecao_conta.p
  • NASApp/SIIBC/informacao_cartao.p
  • NASApp/SIIBC/money.p
  • NASApp/SIIBC/pagto_
  • NASApp/SIIBC/pagto_bloqueto.p
  • NASApp/SIIBC/produtos.do
  • NASApp/SIIBC/saldo.p
  • NASApp/SIIBC/saldo_limite_cartao.p
  • NASApp/SIIBC/semAcesso.p
  • NASApp/SIIBC/solicita_
  • NASApp/SIIBC/ted.p
  • NASApp/SIIBC/transacoes.p
  • NASApp/SIIBC/transferencia.p
  • NASApp/SIIBC/venda_capitalizacao.p
  • nc
  • real
  • sant
  • santandernet.com.br
  • sera
  • teste
  • uNi
  • uniba
  • wwws
  • s://netbanking

{Spoofed Log-in page}

{Malware image}

TSPY_BANKER-2(bardesco-spoo Behavior Diagram

TSPY_BANKER-2(bardesco) Behavior Diagram

TSPY_BANKER-2(bardesco_prim Behavior Diagram

TSPY_BANKER-2(equifax-spoof Behavior Diagram

TSPY_BANKER-2(equifax) Behavior Diagram

TSPY_BANKER-2(caxia-spoof) Behavior Diagram

TSPY_BANKER-2(caxia1) Behavior Diagram

TSPY_BANKER-2(caxia-inter-b Behavior Diagram

TSPY_BANKER-2(caxia-interne Behavior Diagram

Attacked Entities

This spyware targets any of the following online banking sites:

  • Banco Bradesco
  • Banco Caixa
  • Banco do Brasil
  • Banco Itau
  • Banco Real
  • Banco Serasa
  • Caixa Economica
  • Citibank
  • Equifax
  • HSBC
  • Infoseg
  • Paypal
  • Santander Banespa
  • Serasa
  • Unibanco
  • ashdisp.exe
  • ashMaiSv.exe
  • ashServ.exe
  • ashWebSv.exe
  • aswUpdSv.exe
  • avgamsvr.exe
  • avgcc.exe
  • avgemc.exe
  • avgupsvc.exe
  • avp.exe
  • ccapp.exe
  • cccproxy.exe
  • ccevtmgr.exe
  • ccsetmgr.exe
  • gcasServ.exe
  • Kav.exe
  • KAVPF.exe
  • mcappins.exe
  • mcdash.exe
  • Mcdetect.exe
  • mcinfo.exe
  • mcinsupd.exe
  • mcmnhdlr.exe
  • mcregwiz.exe
  • McShield.exe
  • McTskshd.exe
  • mcupdmgr.exe
  • mcupdui.exe
  • McVSEscn.exe
  • mcvsftsn.exe
  • mcvsmap.exe
  • mghtml.exe
  • MpfAgent.exe
  • MpfConsole.exe
  • MpfService.exe
  • MpfTray.exe
  • MpfWizard.exe
  • mvtx.exe
  • naiavfin.exe
  • nod32krn.exe
  • nod32kui.exe
  • oasclnt.exe
  • zlclient.exe

Stolen Information

This spyware steals user names and passwords related to the affected user's online banking transactions.

Drop Points

This spyware then sends the data it gathers using its own Simple Mail Transfer Protocol (SMTP) server, gsmtp185.google.com, and smtp.mail.yahoo.com. Having its own SMTP engine enables this spyware to send messages without using other email applications such as MS Outlook. Some of the email addresses that the spyware uses are the following:

  • 007malumader@gmail.com
  • 2008natal@gmail.com
  • alarmene@ig.com.br
  • allbox2007@gmail.com
  • amaliciosa@gmail.com
  • amigos852@gmail.com
  • amigos963@gmail.com
  • ana.joana2007@gmail.com
  • andre2006@terra.es
  • ann@terra.com.br
  • antony6enator@gmail.com
  • antony6ster@gmail.com
  • atualizado99@gmail.com
  • avisochegou@gmail.com
  • avisoooo@gmail.com
  • avolta01@gmail.com
  • avolta03@gmail.com
  • banco@yahoo.com.br
  • BancoInfects@yahoo.com.br
  • bccx2.fullzinho@gmail.com
  • bidoh3@gmail.com
  • bobyjrs@gmail.com
  • boot7failure@gmail.com
  • brasilfodase@gmail.com
  • brunello2007@gmail.com
  • brutus2006@terra.es
  • budaspeste2@gmail.com
  • budaspeste@gmail.com
  • caetano_concano_concail@gmail.com
  • caiuinfected@gmail.com
  • cavalotoca@gmail.com
  • ccddee@gmail.com
  • cerberus2008@gmail.com
  • changed0@gmail.com
  • chegachegando02@gmail.com
  • chegoumais2@gmail.com
  • chegouwork@gmail.com
  • chimeniatom@gmail.com
  • chonguy@gmail.com
  • codermastercash2@gmail.com
  • codermastercash@gmail.com
  • coisasuasinformes@gmail.com
  • contazinha75@gmail.com
  • cururu02@gmail.com
  • cururu03@gmail.com
  • cxredfox1@gmail.com
  • d1gao.infects@gmail.com
  • d1gao.infos@gmail.com
  • daniel_sequinho2@hotmail.com
  • datatrax.informatica@gmail.com
  • dell.bank@yahoo.com.br
  • dell.sexy@yahoo.com.br
  • dimdimmedonho@gmail.com
  • donovanrodrigues@gmail.com
  • edu_irai@terra.com.br
  • eliminado@gmail.com
  • enoissssss@gmail.com
  • enoissssss@gmail.com
  • eu@yahoo.com.br
  • euconfionslemo02@gmail.com
  • euconfionslemo03@gmail.com
  • eumaster20@gmail.com
  • ferrariblackkinf@gmail.com
  • fontebrasilinfo@gmail.com
  • fxcapetalucifer666info@gmail.com
  • golg3turbo@gmail.com
  • gouplineinfect@gmail.com
  • guinhoinfos@gmail.com
  • h4x1x3@gmail.com
  • hackl@hotmail.com
  • imboxpossuit@gmail.com
  • infect.kay@gmail.com
  • infectpicanha@gmail.com
  • info.kay359@gmail.com
  • infonovaminha@gmail.com
  • informacoesbnc@gmail.com
  • informadoes@gmail.com
  • inforvirus@gmail.com
  • infos110@gmail.com
  • infosdinheiro1@gmail.com
  • investir2007@gmail.com
  • ispbrinformacoes@gmail.com
  • ispinfec@gmail.com
  • jackelinelinda1@gmail.com
  • jacutinga3@gmail.com
  • joaquim.ferreira22@gmail.com
  • jorge.barbalho31@gmail.com
  • jsauniere@gmail.com
  • jsauniere@gmail.com
  • klbannk@hotmail.com
  • lixofoxtroty@gmail.com
  • load108@gmail.com
  • load109@gmail.com
  • loater2@gmail.com
  • Logfile.txt
  • logica006@gmail.com
  • logica007@gmail.com
  • lokinho.new@gmail.com
  • lokopebas@gmail.com
  • look.mt@gmail.com
  • loromontanha@gmail.com
  • lsdr00x@gmail.com
  • lucifer@gmail.com
  • malumader007@gmail.com
  • marcoshinf2@gmail.com
  • mcticaovarjaop@gmail.com
  • meninofects@gmail.com
  • milgti@gmail.com
  • milgts@gmail.com
  • motor102@gmail.com
  • mr-nascimento1986@uol.com.br
  • mundodoce@gmail.com
  • mythologyaviso@gmail.com
  • mythologyinfos@gmail.com
  • naierister@gmail.com
  • naofalharei@gmail.com
  • nati_docinho_19@yahoo.com.br
  • newkdvcinf@gmail.com
  • newto@yahoo.com.br
  • nomatteratall1@gmail.com
  • noraves@gmail.com
  • overlog02@gmail.com
  • pinqueiselebro@gmail.com
  • pjgizz@gmail.com
  • pontohost@gmail.com
  • priv8infect5@gmail.com
  • psycontas2@gmail.com
  • psyinfectados2@gmail.com
  • raundhallskick@gmail.com
  • remix01b@gmail.com
  • resultadodeenvio@gmail.com
  • ricksk82007@gmail.com
  • ronny006@gmail.com
  • ronny006@isbt.com.br
  • sapucaia1@gmail.com
  • sapucaia2@gmail.com
  • senhasgyn@gmail.com
  • seuemaildeinfoinfect@gmail.com
  • shakainfos@yahoo.com.br
  • shakaroott@gmail.com
  • shellrox2@gmail.com
  • sherloke@gmail.com
  • sonildopar@yahoo.com.br
  • sorteinfects@gmail.com
  • sorteinfobr@gmail.com
  • sorteinfos@gmail.com
  • sorteprasempre@globo.com
  • spamando.bruno@gmail.com
  • sxmoura@gmail.com
  • teuemails@gmail.com
  • ton.ton.ton2002@gmail.com
  • toputo14@gmail.com
  • toputo4@gmail.com
  • toputo8@gmail.com
  • torcidaindependente2007@gmail.com
  • toulisin.infects@gmail.com
  • toulisin.infos@gmail.com
  • vencedor@gmail.com
  • verdao10@gmail.com
  • vida.infomail@gmail.com
  • vipsource@gmail.com
  • walkerboyinfo@gmail.com
  • WIN2KBmmaabbee@gmail.com
  • windows2031@gmail.com
  • workchegou@gmail.com
  • www.vidinha.com@gmail.com
  • xicunbentuinf@gmail.com
  • xtz12501@gmail.com
  • xtz12502@gmail.com

It also uses FTP to upload stolen information.

    FTP: ftp.xpg.com.br
    Username: ricksa
    Password: mariano18
    File: info[%bankname%].txt

The spyware also creates snapshot images of transaction screens and stores it using any of the following file names:

  • AZant.jpg
  • BanSan.jpg
  • Besc.jpg
  • Brad.jpg
  • LAR.jpg
  • NossaC.jpg
  • %System%\fotos\1DaFrente.jpg
  • %System%\fotos\DaFrente.jpg
  • %System%\fotos\Foto{%Number%}.jpg

(Note: %Number% is incremental number also part of the file name.)

The said snapshot images are then included as attachments to the generated email message.

It sends its stolen information using the following email details:

Subject: {None}

Message Body:


• Besc com main a para voc Internet Explorer!
• {{BraDesco}}
• Site0
• !//---//---//---//---//---//-//---////---//---//
• agencia resposta secreta aqui........:
• Senha de Cartao...:
• TABELA de acesso................
• Chaves de acesso 1........................:
• Chaves de acesso 2........................:
• Chaves de acesso 3........................:
• Chaves de acesso 4........................:
• Chaves de acesso 5........................:
• Chaves de acesso 6........................:,
• Chaves de acesso 7........................:
• Chaves de acesso 8........................:
• Chaves de acesso 9........................:
• Chaves de acesso 10.......................:
• Chaves de acesso 11.......................:,
• Chaves de acesso 12.......................:
• Chaves de acesso 13.......................:
• Chaves de acesso 14.......................:
• Chaves de acesso 16.......................:,
• Chaves de acesso 17.......................:
• Chaves de acesso 18.......................:
• Chaves de acesso 19.......................:
• Chaves de acesso 20.......................:
• Chaves de acesso 21.......................:,
• Chaves de acesso 22.......................:
• Chaves de acesso 23.......................:
• Chaves de acesso 24.......................:
• Chaves de acesso 26.......................:,
• Chaves de acesso 27.......................:
• Chaves de acesso 28.......................:
• Chaves de acesso 29.......................:
• Chaves de acesso 30.......................:
• Chaves de acesso 31.......................:,
• Chaves de acesso 32.......................:
• Chaves de acesso 33.......................:
• Chaves de acesso 34.......................:
• Chaves de acesso 36.......................:,
• Chaves de acesso 37.......................:
• Chaves de acesso 38.......................:
• Chaves de acesso 39.......................:
• Chaves de acesso 40.......................:
• Chaves de acesso 41.......................:,
• Chaves de acesso 42.......................:
• Chaves de acesso 43.......................:
• Chaves de acesso 44.......................:
• Chaves de acesso 46.......................:,
• Chaves de acesso 47.......................:
• Chaves de acesso 48.......................:
• Chaves de acesso 49.......................:
• Chaves de acesso 50.......................:
• Chaves de acesso 51.......................:,
• Chaves de acesso 52.......................:
• Chaves de acesso 53.......................:
• Chaves de acesso 54.......................:
• Chaves de acesso 56.......................:,
• Chaves de acesso 57.......................:
• Chaves de acesso 58.......................:
• Chaves de acesso 59.......................:
• Chaves de acesso 60.......................:
• Chaves de acesso 61.......................:,
• Chaves de acesso 62.......................:
• Chaves de acesso 63.......................:
• Chaves de acesso 64.......................:
• Chaves de acesso 66.......................:,
• Chaves de acesso 67.......................:
• Chaves de acesso 68.......................:
• Chaves de acesso 69.......................:
• Chaves de acesso 70.......................:
• Refeo cartao..............................:

Subject: {None}

Message Body:


• Caixica Sempre com voc Internet Explorer
• {{{cef}}}
• Site:
• !//---//---//------//-----//---//---//---//---//
• Usuario agencia aqui....:
• Senha dat...............:
• Assintuara Entuara Ea...:

Subject: {None}

Message Body:


• //Itamar@@@@@//
• Site0
• !//---//---//---//--/---//-----//---//---//---//
• conta aqui..............................*
• senha de confirma
• ao de 5 di de 5 di....:
• Senha do Cartao.................:
• CHAVE 1.........................:
• CHAVE 2.........................:
...
• CHAVE 20........................:

Subject: {None}

Message Body:


• {{citibank}}
• Site0
• !//---//---//---//---//---//-//---////---//---//
• agencia resposta secreta aqui................:
• Senha da conta...............................:
• e-mail da conta..............................:
• senha da internet............................:

Subject: {None}

Message Body:


• Santander Banespa juntos com voc com vocnet Explorer!
• //As 2 puta> sanuta> sananespa//
• Site:
• --//---//---//---//---//---//------//-----//
• Agencia conta aqconta aq putaria.........................;
• usuariao.................................................:
• assinatura..natura.......................................:
• chave1...................................................:
• chave2...................................................:
• chave3...................................................:
• chave4...................................................:
• chave5...................................................:
• chave6...................................................:
• chave7...................................................:
• chave8...................................................:
• chave9...................................................:
• chave10..................................................:
...
• chave50..................................................:
• codigo de acesso.........................................:

Subject: {None}

Message Body:


• Digite a sente a senbito do seu cartao.
• Senha do Cara do Carlida
• CPF informado est
• lnformado est
• Data de Data de to informada est
• Incorreta
• ---------------------------------
• CPF:(
• Chaves de Acesso
• ---------------------------------
• Chave: 01 =
• Chave: 02 =
• Chave: 03 =
...
• Chave: 60 =

Subject: {None}

Message Body:


• Banco Bradesco S/A
• Senha Do Cartao Invalida!
• UhSAJ
• }=j0hdAJ
• j0hPHJ
• Banco Bradesco - Completo
• Senha De 6 Digitos Invalida!
• Data:
• - Hora:
• Ag..............:
• Conta:..........:
• Digito..........:
• Senha 4:........:
• Senha 6:........:
• Resposta:.......:
• Titular.........:
• Tabela De Senhas:
• 01....:
• 02....:
• 03....:
• 04....:
• 05....:
• 06....:
• 07....:
• 08....:
• 09....:
• 10....:
...
• 70....:
• Referencia.:
• Final
• Banco Bradesco S/A
• Dados atualizados com sucesso !

Subject: {None}

Message Body:


• Por favor, preencha corretamente seu cart
• o de seguran
• Banco Ita
• =-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=
• ncia...........:
• Conta-Dig.........:
• Senha Eletronica1.:
• Senha Eletronica2.:
• Senha Do Cart
• o...:
• 5 Dig do CC........:
• -> Tabela de Senhas <-
• 01....:
• 02....:
• 03....:
...
• 40....:

Subject: {None}

Message Body:


• UReal2
• Internet Explorer
• Sr(a). Favor digitar a sua senha da tabela corretamente.
• =-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=
• rio............:
• ncia............:
• Conta..............:
• Senha Conta........:
• Senha Codificada...:
• DG1:........
DG2;
DG3;
DG4;
DG5;
• DG6:........
DG7;
DG8;
DG9;
DG10;
• DG11:.......
DG12;
DG13;
DG14;
DG15;
• DG16:.......
DG17;
DG18;
DG19;
DG20;
• DG21:.......
DG22;
DG23;
DG24;
DG25;
• DG26:.......
DG27;
DG28;
DG29;
DG30;
• DG31:.......
DG32;
DG33;
DG34;
&DG35;
• DG36:.......
DG37;
DG38;
DG39;
DG40;
• DG41:.......
DG42;
DG43;
DG44;
DG45;
DG46:.......
DG47;
DG48;
DG49;
DG50;

Backdoor Channel

During testing, this spyware did not exhibit backdoor routines.

Download Routine

This spyware waits for an active Internet connection and accesses any of the following Web sites to download malicious files on the affected system:

  • http: //www.meumsn.land.ru/Isass.jpg
  • http:/ /h1.ripway.com/shotteste/arq.in
  • http:/ /www.freewebs.com/gollinhas/confirma.jpg
  • http:/ /www.freewebs.com/imggol/confirma.jpg
  • http:/ /www.mensagem2006.kit.net/Isass..js

These downloaded files are stored on the affected system using any of the following paths and file names:

  • C:\Windows\System32\Isass.exe
  • %System%\Isass..scr
  • %System%\keylogbit1.dll
  • %System%\keylogbit3.dll
  • %Windows%\Arq.ini

Process Termination

This spyware also terminates the following processes, most of which are related to security and antivirus applications:

  • ashdisp.exe
  • ashMaiSv.exe
  • ashServ.exe
  • ashWebSv.exe
  • aswUpdSv.exe
  • avgamsvr.exe
  • avgcc.exe
  • avgemc.exe
  • avgupsvc.exe
  • avp.exe
  • ccapp.exe
  • cccproxy.exe
  • ccevtmgr.exe
  • ccsetmgr.exe
  • gcasServ.exe
  • Kav.exe
  • KAVPF.exe
  • mcappins.exe
  • mcdash.exe
  • Mcdetect.exe
  • mcinfo.exe
  • mcinsupd.exe
  • mcmnhdlr.exe
  • mcregwiz.exe
  • McShield.exe
  • McTskshd.exe
  • mcupdmgr.exe
  • mcupdui.exe
  • McVSEscn.exe
  • mcvsftsn.exe
  • mcvsmap.exe
  • mghtml.exe
  • MpfAgent.exe
  • MpfConsole.exe
  • MpfService.exe
  • MpfTray.exe
  • MpfWizard.exe
  • mvtx.exe
  • naiavfin.exe
  • nod32krn.exe
  • nod32kui.exe
  • oasclnt.exe
  • zlclient.exe

Variant Information

The following are the variants under this family, with their corresponding MD5 hashes:

TSPY_BANKER.DWQ - 4.639.00

  • FB9E598A1A9776C847D196EB96DF1CA3

TROJ_BANLOAD.DID

  • C0919CFD70928CF4849BED2B1B25DDEA

TROJ_BANLOAD.MIR

  • 862F4EFF57AB9A0F04841AB4757BE567

TROJ_BANLOAD.NOA

  • 34C08B724BBD47FC8B701C8EAB742F10

TSPY_BANBRA.QB

  • 18C0ACC77D793A3ABE3AFB7B82ACE70D

TSPY_BANBRA.TJ

  • B83C068F89050F6D76FE45329AFE5D00

TSPY_BANBRA.VJ

  • d7762db416a3176e6e07fd3d500a83cd

TSPY_BANBRA.XC

  • A30E90F90C938F7CFE5CA432A35F218B

TSPY_BANBRA.XS

  • 6F50E1CFDA37F94DC9925DD5EF421766

TSPY_BANCOS.DXL

  • af3acc62c5189226635da836a26e2cc2

TSPY_BANCOS.DYP

  • 5bbc19feedb1d607803ae4923e17d151

TSPY_BANKER.DLK - 4.639.00

  • EB66EB0FFE0BFFD50D1AE4F8AEC12D33

TSPY_BANKER.DLS - 4.639.00

  • 8B288FF3E98472A4B65200F0F7FEF5BD

TSPY_BANKER.DWE - 4.639.00

  • 7CADF302C080A72E1A7D2115EBAAA84B

TSPY_BANKER.DXL

  • AF3ACC62C5189226635DA836A26E2CC2

TSPY_BANKER.GNB

  • 8249B8C96E18ACF8D75B5567C3110704

TSPY_BANKER.HNY

  • 75ef388108f152b2236003445f2eec65

TSPY_BANKER.HRA - 4.639.00

  • 60580DA2C36F0C5B686BFC2E7141AB48

TSPY_BANKER.HRB

  • 28c4e34df0f00613cbc3c790454888c5

TSPY_BANKER.IBO

  • 33C273719A50C780D8762EC52DB643DA

TSPY_BANKER.IGC

  • 2C324A4B897D309F074E8481B9987B78

TSPY_BANKER.IGC

  • 2C324A4B897D309F074E8481B9987B78

TSPY_BANKER.IHU

  • 5ffd247b0c5e34a26bfae9c8e142a74a

TSPY_BANKER.IIY

  • 4322424765d7cd1ce1d4204f5ff54479

TSPY_BANKER.ILT

  • 0F04559585E236D43F0061A61AEC11BE

TSPY_BANKER.INV - CPR 4.592.09

  • 9191170B9CD1C5C42CF3CF65D40D785E

TSPY_BANKER.IVW

  • 7AED7237EFE983C564C171AE98DF67F6

TSPY_BANKER.IYY - 4.629.00

  • 37FFD1E7279D9523F5B26B583D02C680

TSPY_BANKER.JAW

  • 6D4DF42EE3C0CA84721464D18B6B438A

TSPY_BANKER.JBK

  • 084A6FA4E497399AFABEBD271D8AD25E

TSPY_BANKER.JBU

  • 7DD215D5610626DCC064A1B216E0B21D

TSPY_BANKER.JBW

  • 51134908CDCEE07CC48523E92D0A2689

TSPY_BANKER.JCI - 4.639.00

  • 171ADD21E1A366976F8D60F32A0F8EFC

TSPY_BANKER.JFB

  • 9e4368ed39b8bb4c4cb07d754ea77ec8

TSPY_BANKER.JFF

  • d0d69f81ef0c83a6411b0f979455e886

TSPY_BANKER.JKK - 4.629.00

  • 4E5CDCBEB4834B3F5820A39717D76651

TSPY_BANKER.JKY

  • 9e6d8561924afcf9a9f1339a70622acf

TSPY_BANKER.JLK - 4.643.00

  • F0452EFD9FC5ACBE9481622406C25274

TSPY_BANKER.JLZ

  • 21A1950B8E9C595B13E110FD18D597D0
  • 21A1950B8E9C595B13E110FD18D597D0

TSPY_BANKER.JMD

  • 85a3ecd62eaf10022d76785c404cc31f

TSPY_BANKER.JNO

  • 8513e9327a10137ea2921a2042b376bf

TSPY_BANKER.JOE

  • 371e844bc67cb94828521a9662b5b455

TSPY_BANKER.JPR

  • 5F066B4E1B422494C98FF8F97B8D20F0

TSPY_BANKER.JPW

  • 858df83c2f24ff464e6c6a112ab7924b

TSPY_BANKER.JQE

  • 125a886cc6c02487b704afa22e19bff6

TSPY_BANKER.JQF

  • c433ddc27697804dde1ef4e3a2e45e70
  • C433DDC27697804DDE1EF4E3A2E45E70

TSPY_BANKER.JQS - 4.639.00

  • 239D2D6AE28A070EF802C795E27DBF4C

TSPY_BANKER.JQX - 4.639.00

  • 854D81755A5CCF534E87A1747D6C2E9A

TSPY_BANKER.JRC

  • C72CE83185E526AEF9464E72DB70E947

TSPY_BANKER.JRJ

  • 643908bb369bb192d79ad0edd0d9155a

TSPY_BANKER.JRR

  • b9b8a30d17d68eb203324c0caa8f0f1

TSPY_BANKER.JRY

  • 344032f09dfe6963eb37a765525ebc71

TSPY_BANKER.JSD - 4.629.00

  • F0044845CED4A647849384C596C33C2E

TSPY_BANKER.JSE

  • 0e24150c9259e597e55797f6dbf83ca3

TSPY_BANKER.JSK - CPR 4.598.04

  • 184A218085337638CDFEA8D42B29ECF1

TSPY_BANKER.JSL - CPR 4.598.04

  • B780D82BC5325BA409775CC69356CF98

TSPY_BANKER.JSM - CPR 4.598.04

  • E7D7EE646ADF23DDA03784C214E2947E

TSPY_BANKER.JSP - 4.639.00

  • 27DD5411C2B58423EA656BC8708C0006

TSPY_BANKER.JSR

  • f090d99ad5e0b6a90925068072604c79

TSPY_BANKER.JTY

  • A897755DA0A30C0BDD031ED4EFF5182B

TSPY_BANKER.JUA - 4.639.00

  • 0350A446DED181A92946A4990D8D4CCE

TSPY_BANKER.JUB - 4.639.00

  • 617C6FC421EC605117B299011F1A9853

TSPY_BANKER.JUM

  • 89d13650719b45fedb1fc14dc191d155

TSPY_BANKER.JUV - CPR 4.598.13

  • A8132571525ADC5307E79B7A42CB631D

TSPY_BANKER.JVH - CPR 4.592.09

  • DE4E8D0D1663B6E2A8E80E040C2748AC

TSPY_BANKER.JVR - 4.639.00

  • 11257E542753416A2386A81AC790A5EB
  • 11257E542753416A2386A81AC790A5EB

TSPY_BANKER.JVS - CPR 4.592.09

  • F71D31A1F0D6C0A9A14BFF983855D383

TSPY_BANKER.JVV - CPR 4.592.09

  • F32825992EC30AF3CA6B78C567525632

TSPY_BANKER.JVZ - CPR 4.592.11

  • F8F636AF88FD1C65444230905FEC538D

TSPY_BANKER.JWA - 4.639.00

  • 22EF3CEF398C31C78B4FEDDBBBC1813E

TSPY_BANKER.JWD - 4.639.00

  • 62161F1031DB1C2BFBD0E4BFC54EC4F5

TSPY_BANKER.JWH - 4.639.00

  • 0BC979A10E186EA2FA121117040F2B2F

TSPY_BANKER.JWL

  • 8b0b0492d9e45874de84733e4238cb75

TSPY_BANKER.JWM - CPR 4.594.04

  • 55B29049599D16E215D8643C9AE5D6B7

TSPY_BANKER.JXC - CPR 4.596.04

  • D727C558C082B0E2D4EAF2C6042BBAE6

TSPY_BANKER.JXD

  • 302d3b9e635e8f6816d3f2dd42fc2a83

TSPY_BANKER.JXD

  • 914D325E2333CAC8FEC0E787AD8CD66C

TSPY_BANKER.JXQ - 4.639.00

  • 9689C1A771EE7389769DED9C12A51778

TSPY_BANKER.JXR - 4.639.00

  • E43C9581857DFA95F9E526494F4E9BEF

TSPY_BANKER.JXW

  • 038DFC66D3FB2418F6DA18069A5B1BAC

TSPY_BANKER.JXY - 4.639.00

  • 64BE2F12C9EB3E94D329283FACE49CEE

TSPY_BANKER.JWP

  • 6e369510a6e3c0774ef7764c92d33013

TSPY_BANKER.JYF

  • 88df03463011049aa6e88000f36bac33

TSPY_BANKER.JYG

  • 184CD8098D02B0C74EA4FD071DFAE404

TSPY_BANKER.JYH

  • 24571AC0D987FC09CD126C0239F775BF

TSPY_BANKER.JYI

  • 586A7FF4DBE62F25839729CAFD5E28A4

TSPY_BANKER.JYT

  • AC921C3B6BD50A17DE82E4D0DAC3DCAF

TSPY_BANKER.JZB

  • c78ab4f2e12efeea08ce284f03238339

TSPY_BANKER.JZD

  • 77b2f14bae96f61a839a5fc224e71750

TSPY_BANKER.JZE

  • f93ae6ebe53c79d0d5b9f9e5649829b1

TSPY_BANKER.JZF - 4.639.00

  • 3139B3FA55082D251BFD2F46F67C61A9

TSPY_BANKER.JZJ

  • 7680E933813F3026D4EB1E1F6B85E14B

TSPY_BANKER.JZK

  • 2271D32C5D7FEB697E14881A101E0021

TSPY_BANKER.JZO

  • 3B5FC7E2F4A7F5E565FEE3C0440ECBF9

TSPY_BANKER.KAH - 4.639.00

  • EDF1586BBC0DCF4B22BA055CA60690B5

TSPY_BANKER.KAP

  • 5A2140C2F298A5D6F13A4AF57CE1B324

TSPY_BANKER.KAR

  • 2193ABCF2B7D4B760A7EA6B58B6CE7D8

TSPY_BANKER.KAU

  • b7ca8474768199a09c61fca2381137ad
  • 3dd8cd4354a583bb25747bc5a1e9fc60

TSPY_BANKER.KBD

  • 9df2100402db8064110d1df484193497

TSPY_BANKER.KBM

  • 303B53DFAF073D47612D6DA61A79D312

TSPY_BANKER.KBO

  • 8ebd644e2152592305e125a4a5f3f0d0

TSPY_BANKER.KBR

  • D04CC962ECB244317DE5D085DF871429

TSPY_BANKER.KBS

  • eceb2295edca89e8cfd1a3c6389e55a0

TSPY_BANKER.KBS

  • 97fac1e9579ba5240a70642a2127d022

TSPY_BANKER.KBU

  • DCFB24FEA2FECE43B556474C7EC8E7B4

TSPY_BANKER.KBV - 4.639.00

  • 76C0C105AFB3341D5625A7ACB33E7941

TSPY_BANKER.KBX

  • FAEAA588DBE62E3631E660E10E0406B1

TSPY_BANKER.KCD - 4.639.00

  • 95027BFF21A9E7F35CD38CBA6E75ACFB

TSPY_BANKER.KCH - 4.629.00

  • 6C4C11F506BCE49544E92939365F904C

TSPY_BANKER.KCI - 4.629.00

  • 82E37FFC8D51A8087DA10C9AC4B62C24

TSPY_BANKER.KCJ - 4.629.00

  • C17D1EAAB93BB3D3D4091D005789BA14

TSPY_BANKER.KCL

  • 1f156c2b666de2873c3c334405b12e4a

TSPY_BANKER.KCS - 4.629.00

  • E96EE263B10E1646DDB983A751B7CE39

TSPY_BANKER.KCX - 4.629.00

  • 62A9B410FA204B7B06124D41E5A1F7D2

TSPY_BANKER.KCY

  • D777BE22903A69D73BF10A3372703460

TSPY_BANKER.KDH - 4.639.00

  • 06923FDF1DB29A7055BC6931C5AE15FE

TSPY_BANKER.KDI - 4.629.00

  • 3951E074B408FF499448894EBC579444

TSPY_BANKER.KDJ - 4.629.00

  • C119CDF17BBD0F18CB01D8F0BE79B0EB

TSPY_BANKER.KDQ - 4.629.00

  • 4E7580A3D7C37E45CAB36AA12D99CEBD

TSPY_BANKER.KEF - 4.629.00

  • 49348F53B2A093ADFD550B786230C1C2

TSPY_BANKER.KEI - 4.639.00

  • 85742F4D1DA2283AB8A5194FEA863224

TSPY_BANKER.KEJ

  • 18AACCCFABC7429790A3B81221BDBCD5

TSPY_BANKER.KEK

  • 6C5642615344B88474AE4C8C8CAA18B5

TSPY_BANKER.KEV

  • 37f1198f097594720f6758fdd5c64acf

TSPY_BANKER.KEZ

  • 21A1950B8E9C595B13E110FD18D597D0

TSPY_BANKER.KFF - 4.639.00

  • 33C01CFFD5B5B17C1908288AEAF22F37

TSPY_BANKER.KFH - 4.639.00

  • B8A3A66EF66F0C48D9801D61D616F55C

TSPY_BANKER.KGO

  • 01029c51a2fc0227ffe8055b9066a371

TSPY_BANKER.KHI

  • cef1a2a25fc90e9ff318d1e94fc8c0c7

TSPY_BANKER.KHZ

  • 59E0B439A2F8E10F7011E7F19938DF60

TSPY_BANKER.KIV - 4.643.00

  • 6850E84BFA849ED42D42F734561F96B2

TSPY_BANKER.KIY - 4.643.00

  • 013A506FAEF83AB9D3E63A8581563D50

TSPY_BANKER.KJF

  • 7414EA35A9741154D79E554123049628

TSPY_BANKER.KJG - 4.643.00

  • 930A30F9C971553EDEC230EC03BD1871

TSPY_BANKER.KJI - 4.643.00

  • EE1DAF324A20ED2C54E3B55B27FB6BA0

TSPY_BANKER.KJJ - 4.643.00

  • F3001E32A71C6DE14AD75CFABF3ED30C

TSPY_BANKER.KJK - 4.643.00

  • F594EF06A54535D5A3E704C897840C0E

TSPY_BANKER.KJP

  • 1418522f152e5b702a62bf37dcdb5599

TSPY_BANKER.KJR

  • 67669476e6f88bf1de7958208168ee5c

TSPY_BANKER.KJT

  • eeb11671c2424274c3057a758b6779d0

TSPY_BANKER.KJW

  • 3CB543E38FBA94D0915B254B426B1EFA
  • 3cb543e38fba94d0915b254b426b1efa

TSPY_BANKER.KJY

  • 97577b8ece3531364bc0f9d8e18d101b

TSPY_BANKER.KJZ

  • 3B6AAD5B79E6F34430633E656560F5F1

TSPY_BANKER.KKI

  • 2865CCB7712E157F12D8DC4CDA0C8974
  • 2865ccb7712e157f12d8dc4cda0c8974

TSPY_BANKER.KKJ

  • 7286A418DE641B92A973FAF939E348E6
  • 7286a418de641b92a973faf939e348e6

TSPY_BANKER.KKZ

  • D4655F399060F346B3464BB97F583E37

TSPY_BANKER.KLZ

  • 257206B5CEAE998FD41259BB8CBE523C

TSPY_BANKER.KLZ

  • 257206B5CEAE998FD41259BB8CBE523C

TSPY_BANCOS.DXS

  • E20F0A7F8B765795CDD015054903CCED

TSPY_BANKER.KEY

  • 662DA50993C2F436E7BCA2323759C2E9

TSPY_BANKER.KFA

  • 71590BDE87C5FA8DD996713C506DBFD8

TSPY_BANKER.KFE

  • A4815C8C86BCB459FEC2B72A60C178A3

TSPY_BANKER.KFN

  • F91268FA387EEE960F4C30D89D7D3761

TSPY_BANKER.KFR

  • AFDDC4D55FE0885BCABC9274EEA6E067

TSPY_BANKER.KFU

  • BE31A5DBAC83FB694C03DB1038B0D2FD

TSPY_BANKER.KGG

  • 7FB4D1B2856A9B691BE1953FDFECAB27

TSPY_BANKER.KGI

  • 36745B99CA14EDCE8A87A32C29B13233

TSPY_BANKER.KGK

  • 5BEF8DEE29785632DF05FC6D6A5C359D

TSPY_BANKER.KGN

  • B2B63A48D758EECE29F1DE7F66A50D04

TSPY_BANKER.KGT

  • D774BF3D475A5502C97C82DBCA2A61F8

TSPY_BANKER.KGV

  • E09D018E7B935D98F7EBC46048CC3A49

TSPY_BANKER.KGY

  • 86705997300CF49F13EC4A96149AEB1E

TSPY_BANKER.KHB

  • 1776DA7401F835D353B9AEE7A214FA49

TSPY_BANKER.KHD

  • DC722B34C63CCC8E44BBAED6F6CF4C72

TSPY_BANKER.KLP

  • c00006923967a94f15be4d3349fd2d21

TSPY_BANKER.KMC

  • be93c6150f2178929e9ce19fa3c2c5a3

TSPY_BANKER.KQR

  • 60C59F94F544286D6DB99BE3E605D355

TSPY_BANKER.KDX

  • 0377E1803E0F6274F8ED7C7D0BE05FB2

TSPY_BANKER.KEC

  • F3524172E245EB9DFA63F0928FCDF24E

TSPY_BANKER.KDW

  • CAC6F96D9DD8B91D630DE89BD90F3E33

TSPY_BANKER.KEB

  • EB10BBBCCE85C4CEF991DA923AE7561E

TSPY_BANKER.KDU

  • 061FE3F11D8B2A5EE56189351196231A

TSPY_BANKER.KLR

  • E120BAC4DF6CE81B44E97F871998131E

TSPY_BANKER.DXZ

  • 67E54C1DCC0004207775BC9A1681AE5A

TSPY_BANKER.KME

  • 924EC298ADC886E9784C6C3EEDA5ED90

TSPY_BANKER.KMH

  • F6A8F622506E0638A97C8D28330DA526

TSPY_BANKER.KMJ

  • A5D0C015E97625ACF06DFF9A90B9C08A

TSPY_BANKER.KMI

  • 3ACC1CB3260C22E14B06BC02A3A3EF58

TSPY_BANKER.KMN

  • 4346F1F902001D3C686A0F8836606E8A

TSPY_BANKER.KMS

  • 26C974CC694C822048584EBB53AC7DBE

TSPY_BANKER.KMT

  • 2AE3AF4C81CF9A3F08293F90A9A95446

TSPY_BANKER.KMW

  • 95898AB534DDC18C76CCD40CAE264A0F

TSPY_BANKER.KMZ

  • a33add4e345f93431a85ffe95c1c0202

TSPY_BANKER.KNE

  • 3e3fd5e012ea3edc234775864477bc46

TSPY_BANKER.KNG

  • 1e26df65019d578451ea41f818709973

TSPY_BANKER.KNI

  • f9c64abe5ab1138918215a5234d252e4

TSPY_BANKER.KQX

  • ca65facfed89ccdc42d9d78714b719c7

TSPY_BANKER.KQZ - OPR 4.669.00

  • 2CB5EFE919BA518F79083C9E41D1E3FE

TSPY_BANKER.KRF - OPR 4.669.00

  • 3E660385C0637E3CD538B377ABBA6344

TSPY_BANKER.KFL - OPR 4.669.00

  • EBEBFD91A2CDD79D9462093CD838E90B

TSPY_BANKER.KRL- OPR 4.669.00

  • 94A0C1FBC82116D4F095DBE083B24F2F

TSPY_BANKER.KDK - OPR 4.669.00

  • 08006A038D3094B5CFF6295F25D16F83

TSPY_BANKER.KDR - OPR 4.669.00

  • 400765C94088C801E90494C2B1A8452A

TSPY_BANKER.KRZ

  • 3af7e377a1633a21dcc7d24b4d45e512

TSPY_BANKER.JRE

  • 2CEE4349B7CBC106DF18648E9A65DD66

TSPY_BANKER.JXH

  • 59BBF985D2E19510DCEDFF27ED0C80B6

TSPY_BANKER.JXJ

  • 149E16F8B79A9E384FCF81FF57DA2BDE

TSPY_BANKER.KCF

  • 873673DD0C780A6EE6CF88BD25682612

TSPY_BANKER.KQS

  • B208DB25E1F1EF1485A27CE64B90AEA7

TSPY_BANKER.KWL

  • BAD2AB3EA39B5B85F172CBC04F46CDBE

TSPY_BANKER.KWM

  • C85BFB83847AACCC4FCB228BDF353648

TSPY_BANKER.KWN

  • 9C31F672CF30A961E8762DBD551C33FF

TSPY_BANKER.KWP

  • 4EF8F0677247D277BC1DC17B4BAAA48A

TSPY_BANKER.KWR

  • B99A81A00CD8F17931819899A3604012

TSPY_BANKER.KWU

  • 41A94DA245ED053B7503D6C30D439B24

TSPY_BANKER.KWV

  • 58343C7E8AE8991F54411E5DEB1A6210

TSPY_BANKER.KWW

  • 6C1DD1BF688FC255AB009796B057AEF0

TSPY_BANKER.KWY

  • 09A5BC0C8FD9C5F49EA4282073E29597

TSPY_BANKER.KXA

  • BC41138508C1B571E12BF11710475AFD

TSPY_BANKER.KXC

  • 2E1031755BB3EDF2FB7D4CA4841EE356

Analysis by:  Jocelyn D. Racoma



SOLUTION


Minimum scan engine version needed: 8.000

Download the latest scan engine


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Identifying the Spyware Files

  1. Scan your computer with your Trend Micro antivirus product.
  2. Note the path and file name of all files detected as the following:
    • TROJ_BANLOAD.DI
    • TROJ_BANLOAD.MI
    • TROJ_BANLOAD.NOA
    • TSPY_BANBRA.QB
    • TSPY_BANBRA.XC
    • TSPY_BANBRA.TJ
    • TSPY_BANBRA.VJ
    • TSPY_BANBRA.ZJ
    • TSPY_BANBRA.ZK
    • TSPY_BANBRA.ZL
    • TSPY_BANBRA.ZO
    • TSPY_BANBRA.XS
    • TSPY_BANCOS.DLK
    • TSPY_BANCOS.DLS
    • TSPY_BANCOS.DWE
    • TSPY_BANCOS.DWQ
    • TSPY_BANCOS.DXL
    • TSPY_BANCOS.DXS
    • TSPY_BANCOS.DXZ
    • TSPY_BANCOS.DYP
    • TSPY_BANKER.GNB
    • TSPY_BANKER.HRA
    • TSPY_BANKER.HRB
    • TSPY_BANKER.IBO
    • TSPY_BANKER.IGC
    • TSPY_BANKER.IHU
    • TSPY_BANKER.IIY
    • TSPY_BANKER.ILT
    • TSPY_BANKER.INV
    • TSPY_BANKER.IVW
    • TSPY_BANKER.IYY
    • TSPY_BANKER.JAW
    • TSPY_BANKER.JBK
    • TSPY_BANKER.JBU
    • TSPY_BANKER.JBW
    • TSPY_BANKER.JCI
    • TSPY_BANKER.JFB
    • TSPY_BANKER.JFF
    • TSPY_BANKER.JKK
    • TSPY_BANKER.JLK
    • TSPY_BANKER.JMD
    • TSPY_BANKER.JNO
    • TSPY_BANKER.JOE
    • TSPY_BANKER.JPR
    • TSPY_BANKER.JPW
    • TSPY_BANKER.JQE
    • TSPY_BANKER.JQF
    • TSPY_BANKER.JQR
    • TSPY_BANKER.JQS
    • TSPY_BANKER.JQX
    • TSPY_BANKER.JRC
    • TSPY_BANKER.JRE
    • TSPY_BANKER.JRJ
    • TSPY_BANKER.JRR
    • TSPY_BANKER.JSD
    • TSPY_BANKER.JSE
    • TSPY_BANKER.JSK
    • TSPY_BANKER.JSL
    • TSPY_BANKER.JSM
    • TSPY_BANKER.JSP
    • TSPY_BANKER.JSR
    • TSPY_BANKER.JTY
    • TSPY_BANKER.JUA
    • TSPY_BANKER.JUB
    • TSPY_BANKER.JUM
    • TSPY_BANKER.JUV
    • TSPY_BANKER.JVH
    • TSPY_BANKER.JVR
    • TSPY_BANKER.JVS
    • TSPY_BANKER.JVV
    • TSPY_BANKER.JVZ
    • TSPY_BANKER.JWA
    • TSPY_BANKER.JWD
    • TSPY_BANKER.JWH
    • TSPY_BANKER.JWL
    • TSPY_BANKER.JWM
    • TSPY_BANKER.JWP
    • TSPY_BANKER.JXC
    • TSPY_BANKER.JXD
    • TSPY_BANKER.JXH
    • TSPY_BANKER.JXJ
    • TSPY_BANKER.JXQ
    • TSPY_BANKER.JXR
    • TSPY_BANKER.JXW
    • TSPY_BANKER.JXY
    • TSPY_BANKER.JYF
    • TSPY_BANKER.JYG
    • TSPY_BANKER.JYH
    • TSPY_BANKER.JYI
    • TSPY_BANKER.JYT
    • TSPY_BANKER.JZB
    • TSPY_BANKER.JZD
    • TSPY_BANKER.JZF
    • TSPY_BANKER.JZJ
    • TSPY_BANKER.JZK
    • TSPY_BANKER.JZO
    • TSPY_BANKER.KAH
    • TSPY_BANKER.KAP
    • TSPY_BANKER.KAR
    • TSPY_BANKER.KAU
    • TSPY_BANKER.KBD
    • TSPY_BANKER.KBM
    • TSPY_BANKER.KBO
    • TSPY_BANKER.KBR
    • TSPY_BANKER.KBS
    • TSPY_BANKER.KBU
    • TSPY_BANKER.KBV
    • TSPY_BANKER.KBX
    • TSPY_BANKER.KCD
    • TSPY_BANKER.KCF
    • TSPY_BANKER.KCH
    • TSPY_BANKER.KCI
    • TSPY_BANKER.KCJ
    • TSPY_BANKER.KCL
    • TSPY_BANKER.KCS
    • TSPY_BANKER.KCX
    • TSPY_BANKER.KCY
    • TSPY_BANKER.KDH
    • TSPY_BANKER.KDI
    • TSPY_BANKER.KDJ
    • TSPY_BANKER.KDK
    • TSPY_BANKER.KDQ
    • TSPY_BANKER.KDR
    • TSPY_BANKER.KDU
    • TSPY_BANKER.KDW
    • TSPY_BANKER.KDX
    • TSPY_BANKER.KEB
    • TSPY_BANKER.KEC
    • TSPY_BANKER.KEF
    • TSPY_BANKER.KEI
    • TSPY_BANKER.KEJ
    • TSPY_BANKER.KEK
    • TSPY_BANKER.KEY
    • TSPY_BANKER.KEZ
    • TSPY_BANKER.KFA
    • TSPY_BANKER.KFE
    • TSPY_BANKER.KFF
    • TSPY_BANKER.KFH
    • TSPY_BANKER.KFL
    • TSPY_BANKER.KFN
    • TSPY_BANKER.KFR
    • TSPY_BANKER.KFU
    • TSPY_BANKER.KGG
    • TSPY_BANKER.KGI
    • TSPY_BANKER.KGK
    • TSPY_BANKER.KGN
    • TSPY_BANKER.KGO
    • TSPY_BANKER.KGT
    • TSPY_BANKER.KGV
    • TSPY_BANKER.KGY
    • TSPY_BANKER.KHB
    • TSPY_BANKER.KHD
    • TSPY_BANKER.KHI
    • TSPY_BANKER.KHZ
    • TSPY_BANKER.KIV
    • TSPY_BANKER.KIY
    • TSPY_BANKER.KJF
    • TSPY_BANKER.KJG
    • TSPY_BANKER.KJI
    • TSPY_BANKER.KJJ
    • TSPY_BANKER.KJK
    • TSPY_BANKER.KJW
    • TSPY_BANKER.KJZ
    • TSPY_BANKER.KKI
    • TSPY_BANKER.KKJ
    • TSPY_BANKER.KKZ
    • TSPY_BANKER.KLP
    • TSPY_BANKER.KLR
    • TSPY_BANKER.KLZ
    • TSPY_BANKER.KMC
    • TSPY_BANKER.KME
    • TSPY_BANKER.KMH
    • TSPY_BANKER.KMI
    • TSPY_BANKER.KMJ
    • TSPY_BANKER.KMN
    • TSPY_BANKER.KMS
    • TSPY_BANKER.KMT
    • TSPY_BANKER.KMW
    • TSPY_BANKER.KMZ
    • TSPY_BANKER.KNE
    • TSPY_BANKER.KNG
    • TSPY_BANKER.KNI
    • TSPY_BANKER.KQS
    • TSPY_BANKER.KQX
    • TSPY_BANKER.KQZ
    • TSPY_BANKER.KRF
    • TSPY_BANKER.KRL
    • TSPY_BANKER.KRZ
    • TSPY_BANKER.KWL
    • TSPY_BANKER.KWM
    • TSPY_BANKER.KWN
    • TSPY_BANKER.KWP
    • TSPY_BANKER.KWR
    • TSPY_BANKER.KWU
    • TSPY_BANKER.KWV
    • TSPY_BANKER.KWW
    • TSPY_BANKER.KWY
    • TSPY_BANKER.KXA
    • TSPY_BANKER.KXC

Trend Micro customers need to download the latest virus pattern file before scanning their computer. Other users can use Housecall, the Trend Micro online threat scanner.

Terminating the Spyware Process

This procedure terminates the running spyware process. You will need the name(s) of the file(s) detected earlier.

  1. Open Windows Task Manager.
    • On Windows 98 and ME, press
    CTRL%20ALT%20DELETE
    • On Windows NT, 2000, XP, and Server 2003, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the spyware file(s) detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your computer.
  4. Do the same for all detected spyware files in the list of running processes.
  5. To check if the spyware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On computers running Windows 98 and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the spyware process.

If the process you are looking for is not in the list displayed by Task Manager or Process Explorer, continue with the next solution procedure. If the spyware process is in the list displayed by either Task Manager or Process Explorer, but you are unable to terminate it, restart your computer in safe mode.

Removing Autostart Entries from the Registry

This solution deletes the registry entries added by this spyware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter. /li>
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry or entries whose data value is the malware path and file name of the file(s) detected earlier.
  4. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  5. In the right panel, locate and delete the entry or entries whose data value is the malware path and file name of the file(s) detected earlier.
  6. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run
  7. In the right panel, locate and delete the entry or entries whose data value is the malware path and file name of the file(s) detected earlier.

Restoring Modified Autostart Entries in the Registry

  1. Still in the Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows NT>CurrentVersion>Winlogon
  3. In the right panel, locate the following entries:
    Shell = "explorer %Windows%\service.exe"
    • Shell = "explorer %Windows%\ctfmonm.exe"
    • Shell = "explorer %Windows%\windll.exe"
    • Shell = "explorer %Windows%\svchost.exe"
  4. Right-click on the each of the said registry entries and choose Modify. Change the value of the said entries to:
    Shell = "explorer.exe"
  5. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows NT>CurrentVersion>Winlogon
  6. In the right panel, locate the entry:
    Userinit = "%System%\userinit.exe,{Malware path and file name},"
  7. Right-click on the each of the said registry entries and choose Modify. Change the value of the said entries to:
    %System%\userinit.exe,

Removing Other Added Entries from the Registry

  1. Still in Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>ControlSet001>Services
  2. In the right panel, locate and delete the following entry:
    GbpSv
  3. In the left panel, double-click the following:
    HKEY_CURRENT_USER
  4. In the right panel, locate and delete the following entry:
    SymantecFilterCheck
  5. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>ControlSet001>Services>
    SharedAccess>Parameters>FirewallPolicy>StandardProfile>
    AuthorizedApplications>List
  6. In the right panel, locate and delete the following entry:
    %Windows%\Debug\javaws.exe = "%Windows%\Debug\javaws.exe:*:Enabled:Java Run Time (JRE)"
  7. In the right panel, locate and delete the following entry:
    GbpSv
  8. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Status
  9. In the right panel, locate and delete the following entry:
    status = "{Malware path and file name}"
  10. Close Registry Editor.

Deleting the Malware Files

  1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
  2. In the Named input box, type:
    csrrs.txt
  3. In the Look In drop-down list, select My Computer, then press Enter.
  4. Once located, select the file then press SHIFT%20DELETE.
  5. Repeat steps 2 to 4 for the following files:
    AZant.jpg
    BanSan.jpg
    Besc.jpg
    Brad.jpg
    Emails.dat
    Emails.txt
    LAR.jpg
    Logfile.txt
    Mit.txt
    Mxnt.txt
    Mixnt.txt
    mswndkl.txt
    NossaC.jpg
    ORGUTE.txt
    Plugin.txt
    registrei.txt
    sexy.txt
    sk1logfec.txt
    sky.txt
    yepz

Deleting the Malware Folder

  1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
  2. In the Named input box, type:
    %System%/fotos
  3. In the Look In drop-down list, select My Computer, then press Enter.
  4. Once located, select the folder then press SHIFT%20DELETE.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as TROJ_BANLOAD.DI , TROJ_BANLOAD.MI , TROJ_BANLOAD.NOA, TSPY_BANBRA.QB , TSPY_BANBRA.XC , TSPY_BANBRA.TJ , TSPY_BANBRA.VJ , TSPY_BANBRA.ZJ , TSPY_BANBRA.ZK , TSPY_BANBRA.ZL , TSPY_BANBRA.ZO , TSPY_BANBRA.XS , TSPY_BANCOS.DLK, TSPY_BANCOS.DLS, TSPY_BANCOS.DWE, TSPY_BANCOS.DWQ, TSPY_BANCOS.DXL, TSPY_BANCOS.DXS, TSPY_BANCOS.DXZ, TSPY_BANCOS.DYP, TSPY_BANKER.GNB, TSPY_BANKER.HRA, TSPY_BANKER.HRB, TSPY_BANKER.IBO, TSPY_BANKER.IGC, TSPY_BANKER.IHU, TSPY_BANKER.IIY, TSPY_BANKER.ILT, TSPY_BANKER.INV, TSPY_BANKER.IVW, TSPY_BANKER.IYY, TSPY_BANKER.JAW, TSPY_BANKER.JBK, TSPY_BANKER.JBU, TSPY_BANKER.JBW, TSPY_BANKER.JCI, TSPY_BANKER.JFB, TSPY_BANKER.JFF, TSPY_BANKER.JKK, TSPY_BANKER.JLK, TSPY_BANKER.JMD, TSPY_BANKER.JNO, TSPY_BANKER.JOE, TSPY_BANKER.JPR, TSPY_BANKER.JPW, TSPY_BANKER.JQE, TSPY_BANKER.JQF, TSPY_BANKER.JQR, TSPY_BANKER.JQS, TSPY_BANKER.JQX, TSPY_BANKER.JRC, TSPY_BANKER.JRE, TSPY_BANKER.JRJ, TSPY_BANKER.JRR, TSPY_BANKER.JSD, TSPY_BANKER.JSE, TSPY_BANKER.JSK, TSPY_BANKER.JSL, TSPY_BANKER.JSM, TSPY_BANKER.JSP, TSPY_BANKER.JSR, TSPY_BANKER.JTY, TSPY_BANKER.JUA, TSPY_BANKER.JUB, TSPY_BANKER.JUM, TSPY_BANKER.JUV, TSPY_BANKER.JVH, TSPY_BANKER.JVR, TSPY_BANKER.JVS, TSPY_BANKER.JVV, TSPY_BANKER.JVZ, TSPY_BANKER.JWA, TSPY_BANKER.JWD, TSPY_BANKER.JWH, TSPY_BANKER.JWL, TSPY_BANKER.JWM, TSPY_BANKER.JWP, TSPY_BANKER.JXC, TSPY_BANKER.JXD, TSPY_BANKER.JXH, TSPY_BANKER.JXJ, TSPY_BANKER.JXQ, TSPY_BANKER.JXR, TSPY_BANKER.JXW, TSPY_BANKER.JXY, TSPY_BANKER.JYF, TSPY_BANKER.JYG, TSPY_BANKER.JYH, TSPY_BANKER.JYI, TSPY_BANKER.JYT, TSPY_BANKER.JZB, TSPY_BANKER.JZD, TSPY_BANKER.JZF, TSPY_BANKER.JZJ, TSPY_BANKER.JZK, TSPY_BANKER.JZO, TSPY_BANKER.KAH, TSPY_BANKER.KAP, TSPY_BANKER.KAR, TSPY_BANKER.KAU, TSPY_BANKER.KBD, TSPY_BANKER.KBM, TSPY_BANKER.KBO, TSPY_BANKER.KBR, TSPY_BANKER.KBS, TSPY_BANKER.KBU, TSPY_BANKER.KBV, TSPY_BANKER.KBX, TSPY_BANKER.KCD, TSPY_BANKER.KCF, TSPY_BANKER.KCH, TSPY_BANKER.KCI, TSPY_BANKER.KCJ, TSPY_BANKER.KCL, TSPY_BANKER.KCS, TSPY_BANKER.KCX, TSPY_BANKER.KCY, TSPY_BANKER.KDH, TSPY_BANKER.KDI, TSPY_BANKER.KDJ, TSPY_BANKER.KDK, TSPY_BANKER.KDQ, TSPY_BANKER.KDR, TSPY_BANKER.KDU, TSPY_BANKER.KDW, TSPY_BANKER.KDX, TSPY_BANKER.KEB, TSPY_BANKER.KEC, TSPY_BANKER.KEF, TSPY_BANKER.KEI, TSPY_BANKER.KEJ, TSPY_BANKER.KEK, TSPY_BANKER.KEY, TSPY_BANKER.KEZ, TSPY_BANKER.KFA, TSPY_BANKER.KFE, TSPY_BANKER.KFF, TSPY_BANKER.KFH, TSPY_BANKER.KFL, TSPY_BANKER.KFN, TSPY_BANKER.KFR, TSPY_BANKER.KFU, TSPY_BANKER.KGG, TSPY_BANKER.KGI, TSPY_BANKER.KGK, TSPY_BANKER.KGN, TSPY_BANKER.KGO, TSPY_BANKER.KGT, TSPY_BANKER.KGV, TSPY_BANKER.KGY, TSPY_BANKER.KHB, TSPY_BANKER.KHD, TSPY_BANKER.KHI, TSPY_BANKER.KHZ, TSPY_BANKER.KIV, TSPY_BANKER.KIY, TSPY_BANKER.KJF, TSPY_BANKER.KJG, TSPY_BANKER.KJI, TSPY_BANKER.KJJ, TSPY_BANKER.KJK, TSPY_BANKER.KJW, TSPY_BANKER.KJZ, TSPY_BANKER.KKI, TSPY_BANKER.KKJ, TSPY_BANKER.KKZ, TSPY_BANKER.KLP, TSPY_BANKER.KLR, TSPY_BANKER.KLZ, TSPY_BANKER.KMC, TSPY_BANKER.KME, TSPY_BANKER.KMH, TSPY_BANKER.KMI, TSPY_BANKER.KMJ, TSPY_BANKER.KMN, TSPY_BANKER.KMS, TSPY_BANKER.KMT, TSPY_BANKER.KMW, TSPY_BANKER.KMZ, TSPY_BANKER.KNE, TSPY_BANKER.KNG, TSPY_BANKER.KNI, TSPY_BANKER.KQS, TSPY_BANKER.KQX, TSPY_BANKER.KQZ, TSPY_BANKER.KRF, TSPY_BANKER.KRL, TSPY_BANKER.KRZ, TSPY_BANKER.KWL, TSPY_BANKER.KWM, TSPY_BANKER.KWN, TSPY_BANKER.KWP, TSPY_BANKER.KWR, TSPY_BANKER.KWU, TSPY_BANKER.KWV, TSPY_BANKER.KWW, TSPY_BANKER.KWY, TSPY_BANKER.KXA, and TSPY_BANKER.KXC. To do this, Trend Micro customers must download the latest virus pattern file and scan their computers. Other Internet users can use HouseCall, the Trend Micro online threat scanner.

Restoring Deleted or Overwritten Files

The following files, which have been deleted or overwritten by the malware, can be restored from backup or using installers:

  • AUTOEXEC.BAT