Troj/Bandok-J

Category: Viruses and Spyware Protection available since:25 Feb 2006 00:00:00 (GMT)
Type: Trojan Last Updated:25 Feb 2006 00:00:00 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Bandok-J is a downloader and backdoor Trojan for the Windows platform.

When first installed, Troj/Bandok-J attempts to download and install further malware components to enhance its functionality. These components are typically .dll files, with functionality such as logging keypresses, taking screenshots, controlling WebCams, and stealthing using rootkit techniques.

These components are detected by Sophos as Troj/Bandok, Troj/BanBot or Troj/Bckdr variants. Some Troj/Bandok variants may also install commercial password recovery tools, so that remote intruders can misuse them to steal passwords to mail accounts.

Troj/Bandok-J may inject code into other processes in an attempt to hide its activity. It may also attempt to terminate various security related processes.

When first run Troj/Bandok-J copies itself to &ltSystem&gt\ali.exe.

The following registry entries are created to run ali.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Bandook
&ltSystem&gt\ali.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
*Bandook
&ltSystem&gt\ali.exe

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\(B6A807N6-42DF-4W02-93E5-B156B3FA8AL1)
StubPath
&ltSystem&gt\ali.exe

Troj/Bandok-J may also change the following registry entry, if it exists, in an attempt to bypass some firewalls:

HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters \FirewallPolicy\StandardProfile\GloballyOpenPorts\List

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy