Troj/Zagaban-B

Please follow the instructions for removing Trojans.

Change any data that may have become compromised.

Troj/Zagaban-B is a password-stealing and backdoor Trojan.

Troj/Zagaban-B copies itself to FCLLLS.EXE in the System subfolder of the Windows folder, and sets one of the following registry entries so as to run itself on system startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
User Manager =
fcllls.exe

HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\
Shell =
explorer.exe <Windows folder>\System\fcllls.exe

Troj/Zagaban-B sets the following entry in the registry with a number by which to identify the infected computer:

HKLM\SOFTWARE\Microsoft\COM3\
SN

Troj/Zagaban-B drops a file FGCRC.DLL to the System32 subfolder of the Windows folder, also detected as Troj/Zagaban-B, which it uses to log password information and to provide stealthing.

Troj/Zagaban-B logs information from certain internet requests, in particular access made in websites that contain the following sentence fragments:

of your memorable word
digits from your PIN:
characters from you Password:
digit of your Passnumber
on your private key card
from your Memorable Information
digits from your Passnumber:

Troj/Zagaban-B contacts a script on a remote website in order to send it the logged information, and also received commands from this website which may instruct it to delete a file, download a file from a remote website to C:\TMP0001.TXT and then copy it elsewhere, upload a file using FTP to a remote website, or execute a file. The script has been seen hosted by luckysimpson.com.

Troj/Zagaban-B stealths itself to make it difficult to detect when running.