high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 30 May 2005 14:31:07 (GMT) |
| Last updated | 4 July 2005 21:29:56 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
You should also check your Internet Explorer settings using Tools|Internet options|General for any modifications made by the Trojan.
Change any data that may have become compromised.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
xxsrSrv32
"xxsrsrv.exe"
and delete it if it exists.
Close the registry editor.
More Information
Troj/Bancsde-E is a data-stealing Trojan for the Windows platform which attempts to capture online banking details for accounts related to certain banks in Germany.
Troj/Bancsde-E comprises of the dropper file, the main executable and the dll component.
The main Trojan executable attempts to capture data contained within internet banking web pages and may display fake login pages in an attempt to capture account information. Troj/Bancsde-E is a data-stealing Trojan for the Windows platform which attempts to capture online banking details for accounts related to certain banks in Germany.
Troj/Bancsde-E comprises of the dropper file, the main executable and the dll component.
Once executed the dropper, that may arrive with the filename xx.exe, drops to the Windows folder and runs the main executable with the filename xxsrsrv.exe that extracts the dll component with the filename iexml.dll.
In order to be able to run automatically when Windows starts up Troj/Bancsde-E
sets the registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
xxsrSrv32
"xxsrsrv.exe"
where xx are random two letters.
When Troj/Bancsde-E is active this registry entry is refreshed at intervals, in an attempt to prevent deletion.
Troj/Bancsde-E creates the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
WarnOnPostRedirect
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
WarnOnZoneCrossing
0
Also Troj/Bancsde-E reduces the system security by setting the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
1609
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
1609
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1609
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1609
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1609
0
The main Trojan executable attempts to capture data contained within internet banking web pages and may display fake login pages in an attempt to capture account information.
Troj/Bancsde-E injects the dll component into the process space of iexplore.exe. This DLL is used to relay stolen information to a remote PHP script.
|
