W32/Banworm-A

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
syshost
C:\Windows\Syshost.exe

and delete it if it exists.

Close the registry editor.

W32/Banworm-A is a network worm with keylogging functionality.

The worm creates the following files in the Windows folder:

syshost.exe (a copy of itself)
scan.exe (also detected as W32/Banworm-A)
win32.dll (also detected as W32/Banworm-A)
hwin16.dll (detected as Troj/HideProc-C)
hwin32.dll (detected as Troj/HideProc-C)

W32/Banworm-A attempts to spread to other computers affected by the DCOM-RPC vulnerability (first detailed in MS03-026). In order to copy itself to the new machine after exploiting this vulnerability, the worm starts an FTP server on the first machine. As a result, any attacker connecting to this FTP server can upload/download any files to/from any folder on the infected system.

After installation, W32/Banworm-A reports successful infection by sending an email to the author using the worm's own SMTP engine.

The worm adds the following registry entry in order to be run automatically when a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
syshost
C:\Windows\Syshost.exe