Troj/Banker-BR

Please follow the instructions for removing Trojans.

Change any data that may have become compromised.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Media Player
%WINDOWS%\Sysdll.exe

and delete it if it exists.

Close the registry editor.

Troj/Banker-BR is an information stealing Trojan aimed at customers of a Brazilian bank.

Troj/Banker-BR will monitor a user's internet access. When certain internet banking sites are visited, the Trojan will display a fake login screen in order to trick the user into entering their details.

Troj/Banker-BR will then send the stolen details to a Brazilian email address.

The Trojan will drop the main keylogging component file SYSDLL.EXE into the Wndows folder and creates the following registry entry so as to run itself on computer logon:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Media Player
%WINDOWS%\Sysdll.exe

The Trojan will also create the folder htmCache in the Windows folder and drops the following files into that folder:

ita.zip (zipped file containing html files and gif images)
itaok.html
ita\bg_box_teclado.gif
ita\error.htm
ita\principal.htm
ita\principal_jur.htm

These files are non-malicious and may be safely deleted.

Sophos's anti-virus products include Genotype ™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against Troj/Banker-BR (detected as Troj/Banker-Fam) since version 3.90