Troj/Banker-GU

Please follow the instructions for removing Trojans.

Change any data that may have become compromised.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry for each user who ran the virus. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export Range' panel, click 'All', then save your registry as Backup.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\
SVCHOST32
= "C:\Arquivos de programas\svchost32.exe"

and delete it if it exists.

Close the registry editor.

Troj/Banker-GU is a Trojan that attempts to steal confidential information when a user visits banking-related websites.

When executed Troj/Banker-GU displays a message box containing the following text:

The operation not supported for this object
Try download again

The Trojan copies itself to the file winkernel32.exe in the top folder of the C: drive.

Troj/Banker-GU attempts to download various image files and the following executables from several preconfigured Brazilian websites:

%System%\comdlg32.ocx
%Windows%\ansmtp.dll
%Windows%\ansmtpbuild.dll

At the time of writing, these files were clean.

The Trojan checks for Internet Explorer windows visiting various banking websites and logs any keypresses sent to these windows. Any data stolen in this way is submitted to the author by email.

Troj/Banker-GU adds the following registry entry in order to run automatically on user login:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
SVCHOST32
= "C:\Arquivos de programas\svchost32.exe"